An Indiana medical software company fell victim to a cyberattack that exposed some 3.9 million patient records nationwide after discovering its networks were compromised earlier in the year, the United States Department of Health and Human Services reported Monday.
Medical Informatics Engineering reported the number of nearly four million patients affected in the hack to the federal agency on July 23.
The Fort-Wayne-based company announced on June 10 that the attack on their main network and their NoMoreClipboard network began on May 7 and was promptly detected by May 26. The company disclosed that exposed records include patient names, addresses, date or birth, Social Security number and various health records.
A notice on the company’s website went up Monday, noting the hack affected patients across 11 different health care providers. Including Concentra, who operates some 300 clinics in 38 states, Franciscan St. Francis Health Indianapolis and Rochester Medial Group.
The hack is so widespread it also affects patients served throughout 44 hospitals spanning medial centers in Indiana, Michigan and Ohio, the notice explained. Medical centers affected in the breach included the Indiana and Purdue university medical centers.
A breach investigated by a team third-party forensic experts concluded “this is a sophisticated cyber attack.”
Medical Informatics Engineering has offered all patients affected in the medical breach two free years of credit monitoring and identity theft protection. The company has also began mailing notice letters to affected individuals, ensuring affected patients are made aware they are impacted.
An Indiana Attorney General has urged all state residents to freeze their credit in wake of the medial breach while his office investigates the breach.
Following the breach, Concentra emailed a statement to Ken5 stating:
“Like many healthcare providers, Concentra has used Medical Informatics Engineering (MIE) as a vendor. The cyber attack MIE experienced is limited to their servers and not Concentra servers. MIE says that no financial data of affected patients was included in the data breach. We are diligently working with MIE to pass on all relevant information to help patients understand this breach and put provisions in place to protect themselves. MIE is offering credit report monitoring services to all affected patients. They have also established a call center and web page to provide affected patients with information and updates. Not all Concentra patients were affected by the MIE breach, but we urge any patients in your viewing area who received a notification letter from MIE to call 866-328-1987 or visit mieweb.com.”