Data From IU Health Patients Breached By Unknown Perpetrators
By Boris Ladwig
Herald-Times
BLOOMINGTON – Unknown perpetrators have accessed sensitive health care data and personal information of more than 1 million hospital patients nationwide, including those treated at Indiana University Health.
One of IU Health’s vendors, Seattle-based MCG, has sent letters to patients informing them an “unauthorized party” accessed patients’ personal information including names, medical codes, postal addresses, telephone numbers, email addresses, dates of birth and Social Security numbers.
MCG said in the letters it is “coordinating with the FBI” and it regrets “any concern this issue may cause.”
Some Bloomington area residents told The Herald-Times they had received such letters. One reader said the letter was “disturbing.” Another worried the letter might be a scam.
MCG urged patients “to remain vigilant by reviewing your account statements and monitoring your free credit reports.” Patients who have questions can call 866-475-7221 weekdays from 9 a.m. to 11 p.m. and weekends from 11 a.m. to 8 p.m.
Neither IU Health nor MCG could be reached to say when or how the information was accessed, by whom and how many local residents have been affected.
IU Health spokeswoman Samantha Kirby said via email that “a number” of people received the letters and that the health system was working with MCG “to manage the situation.”
A letter sent to a local patient indicated the data breach affected patients in at least nine U.S states. A sister paper of The Herald-Times in Sioux Falls, Iowa, reported the local health system said data from about 700 patients there had been breached.
According to the Attorney General’s office in Maine, the breach compromised data of about 1.1 million people. According to Bloomberg and Law360, a Seattle patient has sued MCG alleging negligence.
A cybersecurity expert at Indiana University criticized the slow response from MCG and IU Health, but also said most people whose data has been compromised should not panic.
“It is surprising how little information there is,” said Fred H. Cate, vice president for research, distinguished professor, C. Ben Dutton Professor of Law and director of IU’s Center for Applied Cybersecurity Research.
Disclosure laws exist to compel companies to provide people with enough information about a data breach so they can determine what to do and whether they should be worried, he said.
The breach occurred in March, and Cate wondered why it has taken so long for the companies to respond.
Cate said that based on the information that has been released, he believes most people need not worry.
“This would not keep me up at night for a second,” Cate said.
He said while the breach should not have happened, and the parties should have reacted sooner, people also need to keep in mind a lot of their information already is out there. He noted, for example, that his Social Security number is listed on his personal checks.
In addition, he said, names and Social Security numbers are not by themselves useful information for criminals.
While MCG is offering to pay two years of credit monitoring for affected patients, Cate warned that service alerts people only after they’ve already been victimized by fraud. Instead, he encouraged people to freeze their credit, which they can do for free by contacting the three national credit bureaus. You can find more information at tinyurl.com/yc4wxxu7.