Thousands Of Kansans Affected By Security Breach

Patient Portal Provider For Hospitals Was Hacked
Bryan Thompson

Thousands of Kansans soon will be receiving letters notifying them that their electronic health records may have been compromised.

The letters are from a Fort Wayne, Ind., company that provides an online patient portal called NoMoreClipboard used by 18 Kansas hospitals and at least half a dozen clinics. Most are small-town hospitals in western and southeastern Kansas. The largest is in Hutchinson.

“We have 3,815 patients that have signed up to use the patient portal,” said Amelia Boyd, vice president of business development at Hutchinson Regional Health Care System. “The only information that is involved in our portal is demographic. There’s no financial information or clinical information involved for our system.”

Others may not be so fortunate, though. In a security notice dated July 23, the company, Medical Informatics Engineering, said hackers may have obtained patients’ Social Security numbers, passwords and diagnoses, as well as a wide range of other information. Affected hospitals, physicians and other health facilities are listed at the bottom of the online security notice.

“While investigations into this incident are ongoing, we determined the security of some personal and protected health information contained on Medical Informatics Engineering’s network has been affected,” the company said in a news release.

Hackers first got into the system May 7, but the cyberattack apparently went undetected for almost three weeks. Medical Informatics Engineering said it discovered “suspicious activity” on a server on May 26, when it launched an investigation and notified law enforcement, including the Federal Bureau of Investigation’s Cyber Squad.

“We have been working with a team of third-party experts to investigate the attack and enhance data security and protection,” the company said in the news release. “Law enforcement is actively investigating this matter, and we are cooperating fully with law enforcement’s investigation.”

Officials with some of the affected Kansas hospitals said they have not been getting many calls about the incident so far. That may be because letters advising patients to be on the lookout for signs of identity theft are still in the mail.

The letter also urges patients to monitor their credit reports. Citing “an abundance of caution,” the company is offering affected individuals free access to two years of credit monitoring and identity protection services.

The company established a hotline for patients, who can call (866) 328-1987 from 8 a.m. to 8 p.m. weekdays.

The news release said affected data for individuals who used a NoMoreClipboard portal/personal health record may include an individuals’ name, home address, Social Security number, username, hashed password, spousal information (name and potentially date of birth), security question and answer, email address, date of birth, health information, and health insurance policy information.

Eric Jones, the co-founder and chief operating officer of Medical Informatics Engineering, was unavailable for comment.

The KHI News Service is an editorially independent initiative of the Kansas Health Institute.

News Region: 
Midwest
Keywords: 
Breaches, data, Kansas, patient portals