I’ve previously reported on the breach at Medical Informatics Engineering that affected a number of their Medical Informatics Engineering and NoMoreClipboard clients.
Today, they provided an update on the breach. Much of it is a rehash of the previous notification, but there are some additional details on the types of information compromised:
The affected data relating to individuals affiliated with affected Medical Informatics Engineering clients may include an individual’s name, telephone number, mailing address, username, hashed password, security question and answer, spousal information (name and potentially date of birth), email address, date of birth, Social Security number, lab results, health insurance policy information, diagnosis, disability code, doctor’s name, medical conditions, and child’s name and birth statistics. The affected data relating to individuals who used a NoMoreClipboard portal/personal health record may include an individuals’ name, home address, Social Security number, username, hashed password, spousal information (name and potentially date of birth), security question and answer, email address, date of birth, health information, and health insurance policy information.
Individuals who are affected should have received letters or will be receiving them shortly if the vendor has a valid postal address for you:
Notification
On June 2, 2015, we began contacting and mailing notice letters disclosing this incident to affected NoMoreClipboard and Medical Informatics Engineering clients.
On July 17, 2015, we began mailing notice letters to affected individuals for whom we have a valid postal address through U.S. mail, and we expect those letters to be mailed on or before July 25, 2015. Information contained in the notice letter is available at www.mieweb.com and www.NoMoreClipboard.com. We have also disclosed this incident to certain state and federal regulators and to the consumer reporting agencies.
As noted previously, the firm is offering two years of credit monitoring and identity theft protection services.
The incident is still not up on HHS’s public breach tool, so we don’t have a total number affected yet.
Update July 25: Expect to see even more media coverage now that letters are starting to hit. Today, for example, I saw this report on Hutchinson Regional Medical Center in Kansas and this one on Margaret Mary Community Hospital in Indiana.
Update July 28: Medical Informatics’ correspondence with the New Hampshire Attorney General’s Office can be found here.
Update July 30: Now this is smart: Franciscan Alliance, hearing that their patients were having hassles with the phone hotline and the Experian sign-up, posted something on their site specifically for their patients to tell them how to sign up successfully and to tell them that they had already spoken with the hotline about adding more operators to handle although the calls. They also provided their own FAQ to make sure patients understood how and why MIE had their information.
Even though MIE is doing the notifications, staying on top of them to make sure that your patients are being assisted during this stressful time and experience is so important. Well done, Franciscan Alliance.
I will not disclose my name and or email address inasmuch my health care providers apparently have not been affected, or, you have omitted to list them. It goes without saying that I will not list them, I will pursue a separate avenue of investigation that I have employed successfully in the past. If you feel that our data has been compromised, you may wish to communicate the last two digits of my SSN, and the same for my home address: This system has been most successful to ferret out perpetrators, or, negate the sordid threat of having been hacked. I have comunicated your letter to the hospital that we have used without any problems, they will challenge local authorities to followup. For your info I am an international consultant, specialized in such type of investigations.
You idiots! You recruit a EXPERIAN? They try calling their “we’re here for you” telephone number, 866-579-4461. “We are experiencing higher than normal calls at this time. Please call later or on another day” CLICK!
You SUCK MIE. I’ve wasted an hour on their stupid login. The system dumps you out and then you have to start all over. Your stupid letter is from an entity that we don’t have any business with. You bury the affected business name deep in your communication, and then say you are passing our ‘safety’ off to Experian, and then provide a link to yet another website, which says they are an affililated company of Experian. So far I see that you have involved 5 entities. Too many names. The interface is of the style that you saw 10 or 15 years ago. Experian Sucks, and you suck for hiring them.
There’s a lot of frustration and anger out there now…
Why and how does MIE have my info? Live out west and rarely visit doctors–dentist and eyes in last year and half. I’m confused and concerned. Also, followed directions to enroll in Protectmyid to no avail. What the h&^%!?
Read George Jenkin’s post on his experience trying to find out how they got his wife’s information. George also has a complete list of MIE/NoMoreClipboard clients who were affected. If you look at that list, maybe you’ll recognize a provider you used at some point?
You can also call their hotline and ask them how MIE/NMC got your information.
I’m not sure about the problems you had enrolling in ProtectMyID. That site is not maintained by MIE, but by Experian. If you’re having trouble with that site, contact them.
My info was hacked. Called MIE’s “hotline”. Took 4 tries to reach a representative. Was told that they had “all of it” when I asked specifically what medical data was hacked. Good that MIE is offering 2 years’ coverage through Experian, but it does not insure against fraudulent billing on other activity involving ALL of my health care information. Creepy……
You raise an excellent point. You need to remain vigilant by checking your EOB statements from your insurer if your insurance number was involved in the breach at all.
Thank you, Dissent. You’ve provided me with great information and a path to follow (and nope, did not recognize any of the providers on that inclusive list). I’m thinking I Experian may not be that viable of an option at this point. Finally, may I just add that I like and admire your style.
You’re very welcome. If the Experian service doesn’t cost you anything, you might want to consider it if your SSN or identity info were involved.
The letter I received yesterday does not mention anything about PHI being compromised. Yet, if what is being reported in this blog is true, then the company is in gross violation of HIPAA. They are required to spell out in detail types of information that was disclosed. My letter states my “SSN, Birth Date, Address, Phone, and e-mail” How is that anyway close to what was really taken???? !!!!!!!!!
The type of information involved varies by individual and client. It’s the client who determines what kind of info MIE/NMC was storing for them.
If MIE/NMC had your health information caught up in the breach, they would disclose that in your individualized notification. Other people are getting letters that list different types of info for them.
Having the SSN is bad enough for you to take this all seriously and take steps to protect yourself.
Ah, the joys of “cloud” based computing. It’s always a great idea to stick extremely personal data on systems that have an attack surface of the moon.
have received the letter with the code and the engagement code to activate the free credit monitoring. The problem is that neither one of the codes works at protect my id. The phone numbers that you need to call are robo answering machines that keep you going on an endless loop and will not provide you with the service promised. What service are they providing?
Their phone lines are probably overloaded. This happens in massive breaches where everyone gets notified at around the same time. Wait a few days and try again if you can’t get through. In the meantime, consider putting an alert or freeze on your credit report if you don’t anticipate needing to open any new accounts in the near future.
after calling 5 different phone numbers for an hour I finally got a real person after being put on hold numerous times I got a new activation number and confirming I was on the correct page they had me try again but it said the number was not valid now tell me to try later or call another and set it up over the phone the number still don’t work and its back to calling and trying to get thru before my phone battery goes dead
I don’t want to invade your privacy, but if you’re a patient of Franciscan Alliance, they’ve set up a second phone number for their patients to get help and assistance from Experian. If you’re one of their patients, see this notice for the phone number: http://www.franciscanalliance.org/miebreachfaq/pages/default.aspx
OK, this is the second data breach letter I have gotten in the last 6 months.
I work in the IT business and yes for healthcare as well, so I know what the government requirements are to safeguard personal information.
What I don’t get is why are the companies getting away with offering 2 years of protection as my SSN and birthday will never change in my lifetime.
How can we request companies that deal with this kind of information to provide lifetime protection and have to budget that. It’s too easy for them getting away with lack of security. If you want to deal in that environment, you need to be able to protect all the data and be able to stand by it.
I’ve argued (futilely) for years now that all companies should form a pool and provide all consumers ongoing protection and monitoring.
Unfortunately, I do not rule the world.
Yet.
Dissent (space, space, space) “Yet.” You crack me up! So you think I’d benefit if I enroll with Experian? Should I attempt to find out how/why MIE has my info or doesn’t that matter anymore…? I know my questions are rather simplistic, but I am not at all savvy with any of this breach/security/ID theft garbage and I appreciate any and all input very much.
Yes, if you do not already have any credit monitoring protection, it would be good to take advantage of the free offer. You should also consider contacting one of the “Big 3” credit reporting companies (Equifax, Experian, TransUnion) and placing an alert on your credit report. Just tell them that you were notified your identity information was stolen. If you don’t need to open any new accounts soon, the alert will give you additional protection at no cost to you. That alert can be renewed every 90 days if you continue to fear you are at risk.
See the FTC’s site and Privacy Rights Clearinghouse site for other tips on how to protect yourself.
Thank you yet again—You’re very good to me! And I shall heed your sensible and practical advice.
You take this as a joke? Dont rule world yet!! You guys compromise my info and get experian ( who also sells info ) to show me all the things “I” need to babysit for who knows how long. I would prefer a true identity theft company to babysit my cyber info that you have failed to protect. I feel that I do not have the time or knowledge to fully cover all my bases. How much should I charge you guys for the hours and stress I am going to incur during this matter? I am truely concerned and would appreciate your reply without a arrogant or smart… Answer.
“You guys?” Who the hell do you think you’re talking to? I’m a data breach blogger, and I didn’t compromise your info or fail to protect it or do a damned thing to you other than to report on and comment on the breach. If you don’t like my humor or comments, go find another site or blog and post your comments there.
Well said. I appreciate your blog, even with the humor
I appreciate humor as much as the next person. But, i think right now is not really the time for that Dissent and feel it is a little unprofessional of you to tell others to go to another site. now as for comments we are all enititled to an opinion even if people disagree with them but i do thank you for reporting on this and keeping us updated as well.
No, I don’t think you really do appreciate humor as much as the next person if you’re suggesting that no one can laugh or make a self-deprecating joke while discussing a breach.
Bottom line: this is a non-commercial site that I pay for and donate my time to as a resource for others. I don’t owe you or anyone else anything other than to try to report accurately on breaches. I don’t even have to allow comments under each post, but I do so to allow people to vent and to try to answer their questions if they don’t know what to do. And if I feel like cracking a joke or engaging in morbid humor at times, I will. And if my humor offends, then ignore it, or go elsewhere. It really is as simple as that.
You’ve had your say, and I’ve allowed it, but this conversation is over.
I have had lifelock for over a year now….it makes me feel MUCH more secure and is what you were saying you wanted. Just an fyi.
You do know that LifeLock has been charged by the FTC for failing to live up to its promises, right? If you don’t know, see this post: http://www.databreaches.net/ftc-takes-action-against-lifelock-for-alleged-violations-of-2010-order/
Why do I have a strong sense that the goal here is to lead people to ‘free’ credit monitoring that will turn into charged renewals and developing targets for ongoing services? It seems fishy to me. Anyone else feel like MIE and the Security service companies are in this together?
I’m pretty sure that MIE would prefer NOT to have to pay for the Experian service but are doing it to mitigate the harm done and possibly (likely) also for litigation defense. Using Experian after a breach is very common in this country.
Yes, it is common… and who is making all the money? Experian and companies like them. Follow the money. We don’t know that the 2 years of free Experian wasn’t paid for as an investment by Experien. This also explains why someone who compromised your lifetime identity can get away with only 2 years free support offers.
Just received the letter and find in most disturbing. I have not been to a doctor or hospital in five years, live on the west coast, yet some little company in Indiana has all this information on me. What happened to Hippa requirements on safeguarding my data. I want to understand, why they have my data, where they got it from, and why.
They have your data because someone you did see either contracted with them directly or contracted with another contractor who then contracted with them. Under HIPAA, you have a right to request information as to whom your records have been disclosed to, but it sounds like you don’t know where to start. So you can call MIE’s “hotline” number on the letter and ask the representative where MIE got your info, and then start working backwards. Good luck!
Thanks for the information. Still don’t have an idea of where they got my information unless they got it from my employer, or employer’s insurance provider. If that is the case, we have 300,000 employees, Fortune 500 company… Thanks again…. Will call them tomorrow to find out why they have my data
Man-o-man, Jim—maybe we were separated at birth…! Live in the west, no doctor visits in forever and wondering how the hell I made it on a list in the Midwest and more importantly how do I extradite myself from this mess and avoid it in the future. Maybe we can update one another through these posts—-that is, should one of us actually manage to glean any pertinent info! All the best…
I just spoke with the MIE helpline and was told (after I complained about the 2 year coverage with Experian) that they would continue with free coverage for as long as an individual requested/renewed the service… I asked when they would make that bit of information public and the rep replied that she did not know, but that it was currently in their script… Anyone else hear about this?
That’s the first I’m hearing of that. I hope others also inquire and share the responses they get.