14 DAY TRIAL // Health information belonging to a still-to-be-confirmed number of individuals has been pilfered by hackers from the systems of Medical Informatics Engineering, a company that maintains a cloud-based health information exchange platform.
The solution is provided to physicians in family practices as well as clients listed in Fortune 100 top, with modules dedicated for different use cases.
Patients of at least five MIE clients are affected
On Friday, as per California law for data breaches impacting more than 500 residents, the company informed the California Office of the Attorney General of the incident. The clients of the company, however, started to receive notifications since June 2.
Among the customers affected there are Concentra, Fort Wayne Neurological Center, Franciscan St. Francis Health Indianapolis, Gynecology Center, Inc. Fort Wayne, and Rochester Medical Group.
In the letter disclosing the event, Medical Informatics Engineering (MIE) says that the intruders accessed one of its servers without authorization in two rounds, from May 7 through May 8, and on May 25, 2015.
Social security numbers exposed for some patients
The technical team discovered the illegal connection on May 26 and took immediate action by deploying an incident response plan, starting an investigation to identify the security vulnerability exploited by the attacker.
Third-party forensics experts have been contracted to understand the scope of the attack and to confirm the security of the systems. MIE also informed the FBI, whose Cyber Squad unit initiated an investigation.
MIE called this a “sophisticated cyber attack” that exposed names of patients, home addresses, email addresses, dates of birth and, in some cases, social security numbers.
Additional info the attacker may have accessed includes lab results, dictated reports, and medical conditions. Financial or card data remains unaffected as it is not stored by MIE.
In a recent report on the state of application security, Veracode revealed that the most prevalent type of vulnerabilities across all industries, after those relating to code quality, are those touching on cryptography, 80% of the apps in the healthcare sector exhibiting flaws that included use of weak encryption algorithms.
Furthermore, the healthcare sector came out second to last as far as remediation of vulnerabilities is concerned, patching 43% of the problems discovered through Veracode’s code analysis platform.
Out of an abundance of caution, MIE offers credit monitoring and protection against identity theft to all affected individuals, free of charge, for a period of two years.