Posted on Jun 16, 2015
Update: According to the Department of Health and Human Services, this third party data breach from Medical Informatics Engineering and NoMoreClipboard has now affected a whopping total of 3.9 million individuals, making it the fourth largest breach in 2015, according to Data Breach Today.
Update: Two more medical centers in the Midwest have reported breaches via the third party, NoMoreClipboard. Hutchinson Regional Medical Center in Hutchinson, Kansas (July 24) and Margaret Mary Health in Batesville, Indiana have reported breaches (July 23). The number of patients exposed was not disclosed.
A Fort Wayne, Indiana company, Medical Informatics Engineering, had one of their subsidiary companies, Nomoreclipboard, breached in early May. The number of patients records have not been disclosed to date, but the number of medical centers is extensive as is the potential number of affected patients.
According to HealthITSecurity, the following medical centers were affected: Concentra, Fort Wayne Neurological Center, Franciscan St. Francis Health Indianapolis, Gynecology Center, Inc. Fort Wayne, and Rochester Medical Group. South Bend Medical Foundation was also a victim, reported The South Bend Tribune.
"The affected data relating to individuals who used a NoMoreClipboard portal/personal health record may include an individuals’ name, home address, username, hashed password, security question and answer, email address, date of birth, health information, and Social Security number," wrote NoMoreClipboard in its public statement.
One of the affected companies, Concentra, operates 300 medical centers in 40 states and serves over 25,000 patients a day, according to its own website.
This kind of personally-identifiable information means easy money for hackers selling this data on underground forums, and can lead to identity theft and digital ransom if patients reuse the same passwords. Most security and authentication experts call for some of this information, such as Social Security numbers, to not be used in digital identity verification. Yet, in healthcare, banking, and many industries, SSNs are in wide use.
Money magazine wrote in an article after the Sony Pictures breach last December about fraud potential with SSNs, and offered this insight:
With a Social Security number, fraudsters can apply for credit cards, mortgages and other lines of credit in your name, racking up debt on your tab. That can ruin your credit, making it difficult for you to get a new credit card, mortgage, or even a job. Identity thieves can also file fraudulent tax returns in your name, robbing you of your return and causing chaos at the IRS.
The efforts to digitize medical information for easier patient information sharing among healthcare providers, doctors, and medical staff are a legitimate endeavor. Anything to make healthcare more efficient, more forward-leaning to patients and medical professionals makes sense. The problem is, as always, how do you know the security of the third parties that you are connecting to? How do you know their risk posture, and how do you know when it changes?
Healthcare partners such as health information exchanges have legal requirements and Federal security guidelines to follow, but the evidence is mounting that the gaps in legalese and actual security are putting many healthcare clinics, hospitals, medical offices, and patients at risk.
The push for electronic health records (EHR), in particular, by the U.S. government and the healthcare industry have been ongoing for years. The Health Information Technology for Economic and Clinical Health (HITECH) Act, which was enacted as part of the American Recovery and Reinvestment Act of 2009, provided $20 billion worth of incentives for digital technology companies to help the EHR cause.
A quick look in to our collaborative security platform found notable issues with NoMoreClipboard.com's network security, DNS health, and application security. Application security, in particular, showed the opportunity for SQL injections were possible.
"NoMoreClipboard appears to have an antiquated legacy system that makes use of PHP and Common Gateway Interface (CGI) functions," said Alex Heid, Chief of Research at SecurityScorecard. "Upon querying
Check out our list of 3 top third party risk management (TPRM) challenges, and the actions you can take to bolster your program. Learn more.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.