Please call (866) 328-1987 if you have any questions.

Medical Informatics Engineering Updates Notice to Individuals of a Data Security Compromise

Fort Wayne, Indiana, July 23, 2015 — Medical Informatics Engineering is providing an update to our June 10, 2015 notice of a data security compromise that has affected the security of some personal and protected health information relating to certain clients and individuals who have used a Medical Informatics Engineering electronic health record. We emphasize that the patients of only certain clients of Medical Informatics Engineering were affected by this compromise and those clients have all been notified.

On May 26, 2015, we discovered suspicious activity in one of our servers. We immediately began an investigation to identify and remediate any identified security vulnerability. Our first priority was to safeguard the security of personal and protected health information, and we have been working with a team of third-party experts to investigate the attack and enhance data security and protection. This investigation is ongoing. On May 26, 2015, we also reported this incident to law enforcement including the FBI Cyber Squad. Law enforcement is actively investigating this matter, and we are cooperating fully with law enforcement's investigation. The investigation indicates this is a sophisticated cyber attack. Our forensic investigation indicates the unauthorized access to our network began on May 7, 2015. Our monitoring systems helped us detect this unauthorized access, and we were able to shut down the attackers as they attempted to access client data.

We are continuing to take steps to remediate and enhance the security of our systems. Remedial efforts include removing the capabilities used by the intruder to gain unauthorized access to the affected systems, enhancing and strengthening password rules and storage mechanisms, increased active monitoring of the affected systems, and intelligence exchange with law enforcement. We have also instituted a universal password reset.

Information compromised

While investigations into this incident are ongoing, we determined the security of some personal and protected health information contained on Medical Informatics Engineering's network has been affected. The affected data relating to individuals affiliated with affected Medical Informatics Engineering clients may include an individual's name, telephone number, mailing address, username, hashed password, security question and answer, spousal information (name and potentially date of birth), email address, date of birth, Social Security number, lab results, health insurance policy information, diagnosis, disability code, doctor's name, medical conditions, and child's name and birth statistics.

Notification

On June 2, 2015, we began contacting and mailing notice letters disclosing this incident to affected Medical Informatics Engineering clients.

On July 17, 2015, we began mailing notice letters to affected individuals for whom we have a valid postal address through U.S. mail, and we expect those letters to be mailed on or before July 25, 2015. Information contained in the notice letter is available at www.mieweb.com. We have also disclosed this incident to certain state and federal regulators and to the consumer reporting agencies.

Identity protection services

As the investigations continue, and out of an abundance of caution, we are offering affected individuals access to two years of credit monitoring and identity protection services at no cost.

Fraud prevention tips

We suggest affected individuals remain vigilant and seek to protect against possible identity theft or other financial loss by regularly reviewing their financial account statements for suspicious activity. We also encourage affected individuals to notify their credit card companies, health care providers, and heath care insurers of this data security incident. Affected individuals may also review explanation of benefits statement(s) that they receive from their healthcare provider or health plan. If an affected individual sees any service that he/she believes he/she did not receive, the individual should contact his/her health care provider or health plan at the telephone number listed on the explanation of benefits statement(s). If an affected individual does not receive regular explanation of benefits statement(s), we suggest he/she contact his/her healthcare provider or health plan and ask that they send a copy after each visit the affected individual makes with his/her health care provider.

We also suggest that affected individuals carefully review their credit reports. Under U.S. law, individuals are entitled to one free credit report annually from each of the three major credit bureaus. To obtain a free credit report, visit www.annualcreditreport.com or call, toll-free, (877) 322-8228.

At no charge, individuals can also have these credit bureaus place a "fraud alert" on their file that alerts creditors to take additional steps to verify the his/her identity prior to granting credit in his/her name. Please note, however, that because it tells creditors to follow certain procedures to protect an individual's credit, it may also delay the ability to obtain credit while the agency verifies the individual's identity. As soon as one credit bureau confirms your fraud alert, the others are notified to place fraud alerts on an individual's file. If you wish to place a fraud alert, or you have questions regarding your credit report, you can contact any one of the following agencies: Equifax, Consumer Fraud Division, P.O. Box 740256, Atlanta, GA 30374, (800) 525-6285, www.equifax.com; Experian, Consumer Fraud Assistance, P.O. Box 9556, Allen, TX 75013, (888) 397-3742, www.experian.com; TransUnion, Consumer Relations & Fraud Victim Assistance, 1561 E. Orangethorpe Avenue, Fullerton, CA 92831, (800) 372-8391, www.transunion.com. Information regarding security freezes may also be obtained from these sources.

The Federal Trade Commission (FTC) encourages those who discover that their information has been misused to file a complaint with them. To file a complaint with the FTC, or to obtain additional information on identity theft and the steps that can be taken to avoid identity theft, the FTC can be reached at: 600 Pennsylvania Avenue NW, Washington, D.C. 20580, www.ftc.gov/idtheft, (877) ID-THEFT (877-438-4338); TTY: (866) 653-4261. This notice has not been delayed because of law enforcement; however, instances of known or suspected identity theft should be reported to local law enforcement, your state Attorney General, and the FTC. State Attorneys General may also have advice on preventing identity theft. Individuals can also learn more about placing a fraud alert or security freeze on their credit files by contacting the FTC or state Attorney General. For North Carolina residents, the Attorney General can be contacted at 9001 Mail Service Center, Raleigh, NC 27699-9001, (919) 716-6400, www.ncdoj.gov. For Maryland residents, the Attorney General can be contacted at 200 St. Paul Place, 16th Floor, Baltimore, MD 21202, (888) 743-0023, www.oag.state.md.us. For Kentucky residents, the Attorney General can be contacted at 700 Capitol Avenue, Suite 118, Frankfort, KY 40601-3449, (502) 696-5389, www.ag.ky.gov. For Indiana residents, the Attorney General can be contacted at 302 W. Washington Street, Indianapolis, IN 46204, (317) 232-6201, www.in.gov.

Security Freeze
Under MA and WV law, affected individuals have the right to obtain any police report filed in regard to this incident. If you are the victim of identity theft, you also have the right to file a police report and obtain a copy of it. Under MA and WV law, you may place a security freeze on your credit reports. A security freeze prohibits a credit reporting agency from releasing any information from your credit report without your written authorization. However, please be advised that placing a security freeze on your credit report may delay, interfere with, or prevent the timely approval of any requests you make for new loans, credit mortgages, employment, housing, or other services.

If you have been a victim of identity theft, and provide the credit reporting agency with a valid police report, it cannot charge you to place, lift or remove a security freeze. In all other cases, a credit reporting agency may charge you up to $5.00 in MA and $5.30 in WV each to place, temporarily lift, or permanently remove a security freeze. To place a security freeze on your credit report, you must send a written request to each of the three major consumer reporting agencies. In order to request a security freeze, you will need to provide the following information:

  1. Your full name (including middle initial as well as Jr., Sr., II, III, etc.);
  2. Social Security number;
  3. Date of birth;
  4. If you have moved in the past five (5) years, provide the addresses where you have lived over the prior five years;
  5. Proof of current address, such as a current utility bill or telephone bill;
  6. A legible photocopy of a government-issued identification card (state driver's license or ID card, military identification, etc.);
  7. If you are a victim of identity theft, include a copy of either the police report, investigative report, or complaint to a law enforcement agency concerning identity theft;
  8. If you are not a victim of identity theft, include payment by check, money order, or credit card (Visa, MasterCard, American Express or Discover only). Do not send cash through the mail.

The credit reporting agencies have three (3) business days after receiving a request to place a security freeze on a credit file report. The credit bureaus must also send written confirmation to the individual within five (5) business days and provide individual with a unique personal identification number (PIN) or password, or both, that can be used to authorize the removal or lifting of the security freeze. To lift the security freeze in order to allow a specific entity or individual access to your credit report, you must call or send a written request to the credit reporting agencies by mail and include proper identification (name, address, and Social Security number) and the PIN number or password provided to you when you placed the security freeze, as well as the identities of those entities or individuals you would like to receive your credit report or the specific period of time you want the credit report available. The credit reporting agencies have three (3) business days after receiving your request to remove the security freeze.

Toll-free hotline

We have established a confidential, toll free hotline to assist affected individuals with questions regarding the incident, their affected personal and protected health information, their affected healthcare provider(s), and the identity monitoring and protection services we are making available. The hotline can be reached at (866) 328-1987, Monday through Friday, 9:00 a.m. to 9:00 p.m. Eastern Time, except for holidays. If you would like to confirm whether you are affected by this incident, you may call our hotline. Updates regarding this incident, our investigation and steps individuals may take to protect themselves from identity theft and fraud will be available on www.mieweb.com and through our toll free hotline. Questions regarding the incident should not be directed to your healthcare provider(s) as they may not be able to answer your questions.

Affected entities

The following healthcare providers were affected by the Medical Informatics Engineering cyber attack. Patients of these healthcare providers may be affected, and individual notice letters have been sent to affected individuals for whom we have a valid mailing address. Affected healthcare providers include:

  • Concentra
  • Allied Physicians, Inc. d/b/a Fort Wayne Neurological Center (including Neurology, Physical Medicine and Neurosurgery)
  • Franciscan St. Francis Health Indianapolis
  • Gynecology Center, Inc. Fort Wayne
  • Rochester Medical Group
  • RediMed
  • Fort Wayne Radiology Association, LLC including d/b/a Nuvena Vein Center and Dexa Diagnostics
  • Open View MRI, LLC
  • Breast Diagnostic Center, LLC
  • P.E.T. Imaging Services, LLC
  • MRI Center — Fort Wayne Radiology, Inc. (f/k/a Advanced Imaging Systems, Inc.)

Individuals who received services from Fort Wayne Radiology Association, Open View, Breast Diagnostic Center, PET Imaging or MRI Center during the period of time from January 1, 1997 to May 26, 2015 may be affected. The database relating to these healthcare providers was accessed on May 26, 2015. Individuals may also visit the providers’ websites, which may be accessed at www.fwradiology.com, for information on this incident. Affected individuals may include, along with potential others, individuals who received radiology services during this time at any of the organizations identified below:

Accustat Medical Lab, Inc.Indianapolis, IN
Allergy & Asthma CenterFort Wayne, IN
Associated Physicians & Surgeons Clinic, LLCTerre Haute, IN
Ball Memorial HospitalMuncie, IN
Bedford Regional Medical CenterBedford, IN
Cameron Memorial Community HospitalAngola, IN
Central Indiana Orthopedics, PCMuncie, IN
Community Memorial HospitalHicksville, OH
Ear, Nose & Throat AssociatesFort Wayne, IN
Family Medicine Associates, Jerry Sell, M.D.Rockford, OH
First Care Family PhysiciansFort Wayne, IN
Fort Wayne Medical Oncology & HematologyFort Wayne, IN
Gary Pitts, M.D.Warsaw, IN
Indiana Urgent Care Centers, LLCIndianapolis, IN
Indiana University Health CenterBloomington, IN
Jasper County HospitalRensselaer, IN
Manchester Family PhysiciansNorth Manchester, IN
MedCorpToledo, OH
Meridian Health GroupCarmel, IN
Nationwide Mobile ImagingFort Wayne, IN
Neighborhood Health ClinicFort Wayne, IN
Orthopaedics NortheastFort Wayne, IN
Parkview Regional Medical CenterFort Wayne, IN
Parkview HospitalFort Wayne, IN
Parkview Ortho HospitalFort Wayne, IN
Parkview Heart InstituteFort Wayne, IN
Parkview Women & Children's HospitalFort Wayne, IN
Parkview Noble HospitalKendallville, IN
Parkview Huntington HospitalHuntington, IN
Parkview Whitley HospitalColumbia City, IN
Parkview LaGrange HospitalLaGrange, IN
Parkview Physicians Group
Parkview Occupational Health Centers
Paulding County HospitalPaulding, OH
Prompt Care ExpressColdwater, MI; Sturgis, MI
Public Safety Medical ServicesIndianapolis, IN
Purdue University Health CenterW. Lafayette, IN
Southwestern Medical ClinicsBerrien Springs, MI
Tri-State Medical ImagingAngola, Indiana
Union Associated Physicians ClinicTerre Haute, IN
U.S. Healthworks Medical Group of IndianaElkhart, IN
Van Wert County HospitalVan Wert, OH
Wabash County HospitalWabash, IN
Wabash Family CareWabash, IN

We take the security of health information very seriously and understand that such incidents cause real concern. We apologize sincerely and thank our customers for their continued loyalty and patience as we work through this challenge.

© 2016 Medical Informatics Engineering. | All Rights Reserved