Medical Informatics Engineering, a Fort Wayne, Ind.-based maker of Web-based health information-technology software, said Wednesday it was the victim of a sophisticated cyber attack that exposed the protected health information of an unknown number of patients.
MIE emphasized that patients of only some of its clients were affected, including the Fort Wayne (Ind.) Neurological Center, Franciscan St. Francis Health Indianapolis, the Gynecology Center in Fort Wayne, Rochester Medical Group in Rochester Hills, Mich. and Concentra, a national network of primary-care and specialty clinics. The company said in a statement that it is working with a third-party forensics firm to determine an “accurate number of affected patients.”
MIE's clients include about 100 small- to medium-sized physician offices.
The hack includes MIE's NoMoreClipBoard subsidiary, which produces a personal health-record management system.
The servers that were hacked held protected health information including patient names, mailing and email addresses, birthdates, and for some patients, social security numbers, laboratory results, dictated reports and medical conditions. Financial records were not compromised because the company does not collect or store that information, but experts told Modern Healthcare that clinical data can often be even more valuable to identity thieves.
The company said it learned about the hack after it discovered suspicious activity on one of its servers May 26, at which point it immediately launched an investigation to resolve any system vulnerabilities, in addition to reporting the security breach to law enforcement, including the FBI, company officials said.
Eric Jones, MIE's chief operating officer, said it's clear that, big or small, healthcare companies must deal with the serious threat of cyber attacks.
“I certainly I think it's becoming obvious to most of us that this is becoming a more common occurrence," Jones said. "There are sophisticated entities out there that want to do harm and we need to be more vigilant, we need to do a better job to protect the information that we hold."
Jones said he doesn't believe that the Web-based nature of the company's software made it an easier target.
"I think everybody is vulnerable, whether your application is Web-based or if your client server is within four walls, I think there's still high risk that you could be impacted this way," Jones said.
MIE and NoMoreClipBoard began contacting clients and patients on June 2, and are offering free credit monitoring and identity protection services to affected patients for the next 24 months. The company also established a toll-free hotline to answer questions about the hack.
Data breaches in healthcare are the most expensive to remediate and are growing more so, according to a May report from the Ponemon Institute.