Sensitive data from IU Health patients breached by unknown perpetrators

Unknown perpetrators have accessed sensitive health care data and personal information of more than 1 million hospital patients nationwide, including those treated at Indiana University Health.

One of IU Health's vendors, Seattle-based MCG, has sent letters to patients informing them an “unauthorized party” accessed patients’ personal information including names, medical codes, postal addresses, telephone numbers, email addresses, dates of birth and Social Security numbers.

IU Health promised to freeze prices,then added fees to Bloomington patients' bills

MCG said in the letters it is “coordinating with the FBI” and it regrets “any concern this issue may cause.”

Some Bloomington area residents told The Herald-Times they had received such letters. One reader said the letter was “disturbing.” Another worried the letter might be a scam.

IU Health patients asked to review statements, credit reports

MCG urged patients “to remain vigilant by reviewing your account statements and monitoring your free credit reports.” Patients who have questions can call 866-475-7221 weekdays from 9 a.m. to 11 p.m. and weekends from 11 a.m. to 8 p.m.

Neither IU Health nor MCG could be reached to say when or how the information was accessed, by whom and how many local residents have been affected.

IU Health spokeswoman Samantha Kirby said via email that “a number” of people received the letters and that the health system was working with MCG “to manage the situation.”

Others are reading:Indiana town divided by LGBTQ Pride display

A letter sent to a local patient indicated the data breach affected patients in at least nine U.S states. A sister paper of The Herald-Times in Sioux Falls, Iowa, reported the local health system said data from about 700 patients there had been breached.

According to the Attorney General's office in Maine, the breach compromised data of about 1.1 million people. According to Bloomberg and Law360, a Seattle patient has sued MCG alleging negligence.

A cybersecurity expert at Indiana University criticized the slow response from MCG and IU Health, but also said most people whose data has been compromised should not panic.

“It is surprising how little information there is,” said Fred H. Cate, vice president for research, distinguished professor, C. Ben Dutton Professor of Law and former director of IU's Center for Applied Cybersecurity Research.

Disclosure laws exist to compel companies to provide people with enough information about a data breach so they can determine what to do and whether they should be worried, he said.

The breach occurred in March, and Cate wondered why it has taken so long for the companies to respond.

Data breach: What should you do?

Cate said based on the information that has been released, he believes most people need not worry.

“This would not keep me up at night for a second,” Cate said.

He said while the breach should not have happened, and the parties should have reacted sooner, people also need to keep in mind a lot of their information already is out there. He noted, for example, that his Social Security number is listed on his personal checks.

In addition, he said, names and Social Security numbers are not by themselves useful information for criminals.

While MCG is offering to pay two years of credit monitoring for affected patients, Cate warned that service alerts people only after they’ve already been victimized by fraud. Instead, he encouraged people to freeze their credit, which they can do for free by contacting the three national credit bureaus. You can find more information at tinyurl.com/yc4wxxu7.

A credit freeze restricts access to your credit, which means you and others won’t be able to open a new credit account, according to the Federal Trade Commission. When the freeze is in place, you will still be able to do things such as apply for a job, rent an apartment or buy insurance without lifting or removing the freeze.

Cate said people can temporarily lift the freeze if they apply for new credit, such as a credit card or a car loan.

Seeking a primary-care doctor? Few in Bloomington taking new patients

MCG is part of Hearst Health, which is part of New York-based Hearst Communications. MCG says on its website that it uses artificial intelligence and “technology solutions, infused with objective clinical expertise” to provide “unbiased clinical guidance that gives healthcare organizations confidence in their patient-centered care decisions.”

The company could not be reached to explain what that means.

IU Health could not be reached to explain what MCG does for the local health system. Kirby said in her email that MCG is “a company IU Health works with.”

She wrote that patient privacy was of “utmost importance” to IU Health and apologized for any “inconvenience.”

Correction: This post was updated to correct Cate's position at the Center for Applied Cybersecurity Research.

Boris Ladwig is the city government reporter for The Herald-Times. Contact him at bladwig@heraldt.com.