MIE cyberattack exposed info of 3.9 million people

It appears that the cyberattack suffered by Indiana-based cloud electronic health record vendor Medical Informatics Engineering (MIE) may be worse than first thought, affecting 3.9 million people.

MIE originally announced the data breach June 10. In an updated notice dated July 23, MIE provided more detail about what actions it has taken since it discovered suspicious activity in late May, touting its notifications to affected clients and offering of more detailed fraud prevention tips. MIE also outlined how it will protect patient data in the future.

"We are continuing to take steps to remediate and enhance the security of our systems," the notice states. "Remedial efforts include removing the capabilities used by the intruder to gain unauthorized access to the affected systems, enhancing and strengthening password rules and storage mechanisms, increased active monitoring of the affected systems and intelligence exchange with law enforcement. We have also instituted a universal password reset."

A forensic investigation determined that the attack began May 7. The types of data breached are extensive, including not only patient names and addresses, but also Social Security numbers, passwords and usernames, lab results, health plan information, child and spousal information and diagnoses. Eleven of MIE's provider clients, plus 44 radiology centers, have been affected.

In light of the incident, Indiana Attorney General Greg Zoeller issued a notice July 30, saying that the state is investigating the breach and that people should take steps to secure their information.

"People cannot sit back and assume they won't become a victim of these crimes which are costly, time consuming to fix and can have a long-term impact on your financial stability and credit," Zoeller says. "Everyone in Indiana should have a credit freeze in place to protect themselves from becoming a victim of identity theft and fraud."

The security of electronic patient information is a primary concern. MIE's data breach may be the first known cyberattack on an EHR vendor. The healthcare industry, with its treasure trove of confidential information, is a popular target for cybercrime.

To learn more:
- here's the attorney general announcement
- read the updated MIE notice