Update on Medical Informatics Engineering breach (update3)
I’ve previously reported on the breach at Medical Informatics Engineering that affected a number of their Medical Informatics Engineering and NoMoreClipboard clients.
Today, they provided an update on the breach. Much of it is a rehash of the previous notification, but there are some additional details on the types of information compromised:
The affected data relating to individuals affiliated with affected Medical Informatics Engineering clients may include an individual’s name, telephone number, mailing address, username, hashed password, security question and answer, spousal information (name and potentially date of birth), email address, date of birth, Social Security number, lab results, health insurance policy information, diagnosis, disability code, doctor’s name, medical conditions, and child’s name and birth statistics. The affected data relating to individuals who used a NoMoreClipboard portal/personal health record may include an individuals’ name, home address, Social Security number, username, hashed password, spousal information (name and potentially date of birth), security question and answer, email address, date of birth, health information, and health insurance policy information.
Individuals who are affected should have received letters or will be receiving them shortly if the vendor has a valid postal address for you:
On June 2, 2015, we began contacting and mailing notice letters disclosing this incident to affected NoMoreClipboard and Medical Informatics Engineering clients.
On July 17, 2015, we began mailing notice letters to affected individuals for whom we have a valid postal address through U.S. mail, and we expect those letters to be mailed on or before July 25, 2015. Information contained in the notice letter is available at www.mieweb.com and www.NoMoreClipboard.com. We have also disclosed this incident to certain state and federal regulators and to the consumer reporting agencies.
As noted previously, the firm is offering two years of credit monitoring and identity theft protection services.
The incident is still not up on HHS’s public breach tool, so we don’t have a total number affected yet.
Update July 25: Expect to see even more media coverage now that letters are starting to hit. Today, for example, I saw this report on Hutchinson Regional Medical Center in Kansas and this one on Margaret Mary Community Hospital in Indiana.
Update July 28: Medical Informatics’ correspondence with the New Hampshire Attorney General’s Office can be found here.
Update July 30: Now this is smart: Franciscan Alliance, hearing that their patients were having hassles with the phone hotline and the Experian sign-up, posted something on their site specifically for their patients to tell them how to sign up successfully and to tell them that they had already spoken with the hotline about adding more operators to handle although the calls. They also provided their own FAQ to make sure patients understood how and why MIE had their information.
Even though MIE is doing the notifications, staying on top of them to make sure that your patients are being assisted during this stressful time and experience is so important. Well done, Franciscan Alliance.