EHR Cyberattack Affected 3.9 MillionInvestigation Reveals Far More Organizations Impacted
As a result of a continuing investigation, the estimate of the number of organizations affected by a recent cyberattack on Web-based electronic health records vendor Medical Informatics Engineering, and its personal health records subsidiary, NoMoreClipBoard, has ballooned (see EHR Vendor Target of Latest Hack).
The breach affected 3.9 million individuals, according to the Department of Health and Human Services' "wall of shame" website listing health data breaches affecting 500 or more individuals since September 2009.
In a July 30 statement, Indiana Attorney General Greg Zoeller said the cyberattack that was discovered in May affected an estimated 1.5 million individuals in Indiana alone. Zoeller is urging Indiana state residents to freeze their credit in the wake of the recent data breach at the Fort Wayne-based company.
Even if no other victims are identified, the cyberattack on MIE will be the seventh largest breach listed on the federal tally - and the fourth largest breach in 2015.
The other four larger breaches this year were also hacking attacks. Those include cyberattacks against Anthem Inc., affecting nearly 80 million individuals; Premera Blue Cross, impacting 11 million; and UCLA Health, affecting 4.5 million.
In May, MIE revealed that a "sophisticated cyberattack" involving unauthorized access to its network began on May 7, resulting in a breach that compromised protected health information relating to patients affiliated with certain clients. At the time, the company named five healthcare entities that were among the affected clients and did not provide any estimate of how many individuals were impacted.
Updated Breach Details
An updated statement that MIE issued on July 24, however, shows the list of affected entities - ranging from small doctor offices to medical specialty group practices, hospitals and other organizations - has grown to more than 200.
"While investigations into this incident are ongoing, we determined the security of some personal and protected health information contained on Medical Informatics Engineering's network has been affected," the new statement says. "The affected data relating to individuals affiliated with affected Medical Informatics Engineering clients may include an individual's name, telephone number, mailing address, username, hashed password, security question and answer, spousal information (name and potentially date of birth), email address, date of birth, Social Security number, lab results, health insurance policy information, diagnosis, disability code, doctor's name, medical conditions and child's name and birth statistics. "
The affected data relating to individuals who used a NoMoreClipboard portal/personal health record, the new statement notes, may include an individuals' name, home address, Social Security number, username, hashed password, spousal information - including name and potentially date of birth - security question and answer, email address, date of birth, health information and health insurance policy information.
MIE says that "out of an abundance of caution," it is offering affected individuals access to two years of free credit monitoring and identity protection services.
Steps to Take
Security expert Tom Walsh, founder of the consulting firm tw-Security, says he is startled by how many victims and entities are affected by the breach.
" I was surprised at the number of entities affected and the total number of patients. Some of those entities affected are located in Kansas, so I had heard about the breach through some of those organizations," says the consultant, whose company is based in Kansas. "All PHI data is a potential target. Obviously, we can and need to do a better job of protecting the data."
In the wake of the attack, healthcare organizations should take several steps protect EHRs, including cloud-based systems, Walsh says. Key action items include:
- Patch management. Systems need to be evaluated and updated frequently.
- Tighter access control. This is especially needed for system administrator access or elevated privileges, including employees, contractors and subcontractors. For example, two-factor authentication should be required for any type of remote access.
- Database encryption. Of course, this will only help if a hacker has not compromised a system administrator's account.
- System monitoring. Consider outsourcing this activity to a third party using managed security services.
- Vulnerability scanning and network penetration testing. Conduct regular scans, especially after any significant changes are made to an external-facing application or system. Also, conduct annual penetration testing.
- Enhanced incident response capability. The more exercise or drills that are conducted, the better the response when a real event occurs. Organizations should develop "playbooks" to document response procedures to the various scenarios.
MIE did not immediately respond to Information Security Media Group's request for comment.