EHR vendor Medical Informatics Engineering suffers cyberattack

Cloud EHR vendor Medical Informatics Engineering (MIE) has revealed that it suffered a data breach affecting the electronic medical records of some of its clients' patients.

In a notice dated June 10, the Fort Wayne, Indiana-based vendor stated that it discovered suspicious activity May 26 related to one of its servers. MIE is investigating the incident and has reported it to law enforcement. The vendor also is reporting the incident to its affected clients, as well as to applicable federal and state authorities. Such clients include Concentra, Fort Wayne Neurological Center, Franciscan St. Francis Health Indianapolis, Gynecology Center, Inc., in Fort Wayne and Rochester Medical Group, as well as patients associated with MIE's NoMoreClipboard subsidiary.

The data potentially compromised includes patient names, Social Security numbers, lab results, medical conditions and other information; it does not include financial data, since the vendor doesn't collect or store such information.

MIE is offering free credit monitoring and identity theft protection services for two years and a toll-free phone number for patients with questions. MIE also provided advice for affected patients, such as monitoring their explanation of benefits forms and filing a complaint with the Federal Trade Commission if they discover that their information has been misused.

The security of electronic patient information is a major concern, especially in light of the large number of data breaches suffered by plans, providers and others. This incident may be the first known data breach of an EHR vendor. Many contracts between providers and EHR vendors favor the vendor when it comes to protecting the provider in the event of a breach; it is not known what the contract terms are between MIE and its clients.

The Department of Health and Human Services' Office of Inspector General had planned to review in 2015 how well covered entities and their downstream service providers, including cloud providers, protected electronic patient information. Perhaps ironically, OIG's updated work plan, released May 28, indicates that OIG will now review only the covered entities, not the cloud vendors.

To learn more:
- read the notice