Lee Rottinghaus receives the typical pile of paperwork when she visits a doctor’s office.
Like other patients, she has to decide whether close family members will be allowed access to her confidential medical information.
But after learning last week that her medical records might have been stolen in a database breach, Rottinghaus wonders what’s the point of having disclosure rules. The Fort Wayne woman said total strangers might now have access to more of her medical information than her own husband does.
About 380,000 consumers across northeast Indiana last week received data breach notification letters from Medical Informatics Engineering. The notification came about seven weeks after the hack was discovered.
Jeff Donnell, an executive with MIE, said the arduous process of investigating the data breach didn’t allow the company to contact individual consumers sooner.
Donnell spoke at length with The Journal Gazette on Wednesday morning – the same day a lawsuit was filed in U.S. District Court in Fort Wayne, claiming that MIE didn’t do enough to prevent the attack, didn’t detect the data breach quickly enough and didn’t notify consumers as soon as possible.
As the reality sets in, Rottinghaus and others are struggling to understand what was lost, how that information might be misused and what they can do about it now.
Here’s what we found out through research and interviews with experts:
Q. What is a data breach and how does it happen?
A. A breach happens when an unauthorized user – or even an authorized user – accesses stored information without permission.
The information can include company secrets, such as the formula for making Coca-Cola. It could be a diagram listing a building’s security vulnerabilities or a document outlining a baseball team’s strategy for an upcoming draft. It could be a lawyer’s notes that specify how much a client is willing to settle for in a civil lawsuit.
Stolen information can also include customer secrets, such as Social Security number, date of birth, address, phone number, bank account numbers and passwords.
Cybercriminals seek vulnerabilities, including weak passwords, laptops left unguarded, networks with insufficient safeguards and cash-strapped workers willing to take bribes for information or access.
They also try to infect computer servers with malicious software to create a covert access point. That’s why your IT staff tells you to never, ever, ever click on an attachment from an unknown sender.
Q. How often do data breaches happen?
A. Pretty much every day. The federal government recorded 67,196 cyber incidents in the 12 months ended Sept. 30, 2014, the White House reported in February.
Each incident can mean the exposure of thousands or millions of individual records.
More than 87 million private records have been exposed by federal network breaches since 2006, according to Privacy Rights Clearinghouse, a nonprofit that tracks cyber incidents at all levels of government.
And that was before more than 4 million government workers’ security clearance information was compromised in a hack disclosed in July.
Meanwhile, hundreds of millions of records have been compromised in computer attacks on retailers, universities, banks and insurance providers.
Barely a month goes by without a high-profile target being hit, including Target. That late 2013 breach exposed an estimated 40 million records.
Other victims include retailers Home Depot, Staples, Barnes & Noble, T.J. Maxx, Michaels and Neiman Marcus.
But don’t assume you’re safe if you don’t shop at those places. More than 80 million records were compromised when health insurer Anthem was hit. Even closer to home, 4.5 million patient records were exposed when cybercriminals attacked Community Health Systems, Lutheran Health Network’s parent company.
Corporate victims have been as seemingly formidable as JPMorgan Chase and as unassuming as Dairy Queen.
In Indiana alone, 400 separate data breaches were reported last year. This year, 279 have been reported to the state attorney general’s office.
Q. Who is doing the hacking? Do they ever get caught?
A. Some data breaches could be the work of an individual, rogue hacker who takes advantage of an unexpected opportunity, such as finding a laptop computer full of sensitive information.
It could even be a disgruntled former employee out for revenge after being fired.
But they’re also the work of organized cybercriminals with ties to China, Russia, Ukraine and other countries.
Even when investigators have a strong idea of where a hacking attack was launched, that knowledge doesn’t necessarily lead to a quick arrest and conviction, especially if the attack was launched from overseas.
The FBI is handling the criminal investigation into the data breach at Medical Informatics Engineering.
As of last week, company officials didn’t know who hacked into their system or whether those responsible would ever be identified.
Q. What process do companies follow after finding a database breach?
A. Let’s look at what MIE did as an example.
Monitoring systems on the Fort Wayne company’s computer network alerted staff to an unusually high load of activity on one computer server at 5 a.m. May 26, Donnell said.
Information technology staff shut down that server and notified executives, who alerted the FBI’s cyber squad the same day, he said. Within 48 hours, the firm brought in cybercrime specialists recommended by its cyber insurance provider.
During the investigation, experts found that the breach actually began May 7, almost three weeks before it was discovered.
Consultants guided the medical software company in following state and federal guidelines about how soon consumers must be notified. MIE notified the Federal Trade Commission, the Department of Health and Human Services and the offices of numerous state attorneys general.
After notifying client companies June 2, the firm made a public statement on June 10. But MIE waited to mail the almost 3.1 million notification letters to consumers until officials knew which individual patients were affected and to what degree each person’s private information was compromised.
MIE officials didn’t want patients who have visited more than one health care provider to receive multiple letters that might contradict each other on what information was left vulnerable, Donnell said.
Letters started going out July 17; the last ones were mailed July 25, 60 days after the breach was discovered.
Ira Kushner is among those who believes MIE’s efforts were too little, too late. He thinks the offer of two years of free credit monitoring isn’t enough. He wants a cash settlement.
The Sun City, Arizona, man has contacted the Indianapolis attorney who filed a lawsuit against the company. Kushner wants to join the class-action suit, assuming a class is approved by the court.
"It is just so frustrating," Kushner said. "I spent four hours trying to figure out what was going on with this letter."
Q. Are there any rules for how soon companies have to notify customers? Did MIE notify affected consumers in a timely manner?
A. Yes, there are rules set out by federal and state authorities.
MIE mailed letters to individual consumers within 60 days of discovering the attack. A lawsuit requesting class-action status was filed against MIE last week alleging that the notification didn’t come soon enough and the medical software company was negligent in the precautions it took to avoid a cyberattack.
The issue will presumably be decided in court or settled out of court.
Beyond that consumer complaint, the U.S. Securities and Exchange Commission, among other government entities, can and does investigate how companies have handled and disclosed hacking attacks.
Q. What kind of information is included in medical records?
A. A lot of what’s in your patient file might be so sensitive that you wouldn’t want to tell your own mother about it.
Patient Privacy Rights lists potential items on its website. The Texas-based nonprofit describes its mission as restoring patient control over personal health information.
Records may include:
• Personal and family medical history
• Lab test results, including genetic testing
• Medication prescriptions
• Alcohol use and sexual activity
• Lifestyle details, including smoking, exercise, recreational drug use, stress levels
• Results of operations and procedures
• Social Security number
• Payment information, including credit card number
Q. Who typically has access to my health records?
A. A lot more people than you realize, including your employer, your bank, state and federal agencies, insurance companies, drug companies, marketers, medical transcribers and the public, if your health records are subpoenaed as part of a court case.
All those entities can access your records without getting special permission from you, according to Patient Privacy Rights.
Q. How can medical information be misused?
A. An unethical provider could bill an insurance company or the federal government for health care that it never gave you. Any amount not covered would then be billed directly to you, which could affect your credit score.
That’s what worries Rottinghaus, who was hospitalized four times last year – first for an appendectomy and then for various complications. She received so many real bills in the mail, she’s not sure whether she could have picked out a fake one.
Then there’s the issue of using sensitive medical information for marketing – or even for blackmail.
Let’s say someone was treated for AIDS, hepatitis C or a sexually transmitted disease. A company selling prescription drugs or other products might like to target that patient for advertising. But sending brochures or coupons in the mail could tip off others about the condition.
Someone with those or similar medical conditions could face discrimination in hiring.
Rottinghaus wonders if such personal information could be used to blackmail someone. Suppose a political candidate who publicly is against all access to abortion privately paid for an abortion for his 16-year-old daughter or for his wife, whose life was at risk from the pregnancy.
The possibilities, Rottinghaus said, are troubling.
But the greater danger is that someone’s Social Security number and date of birth will be used to access credit, a local attorney said.
Q. Can I totally eliminate the risk of having my data stolen?
A. If you want to keep your personal information out of databases connected to the Internet, good luck.
Among the things you’ll have to give up are your drivers license, checking account, credit card, college classes, health insurance, mutual fund and stock investments, physician and dentist appointments, prescription eyeglasses, state and federal subsidies and all property ownership.
You’d have to stop earning a regular paycheck and paying state and federal income taxes. You’d also have to stop voting in all local, state and federal elections.
So unless you want to become a hermit foraging for food in the woods, you’d better make peace with being vulnerable to cybercrime.