An estimated 1.5 million people in Indiana have been informed by Medical Informatics Engineering (MIE) that their information, including Social Security numbers and medical data, has been compromised by attackers.
MIE creates software for electronic medical records for healthcare providers. As a result, more than 11 healthcare providers were affected by the attack, including local companies and national outlets, as well as the federal government.
The company said that hackers had access to the MIE servers for nearly three weeks, which means that the attackers were likely exfiltrating all of that personally identifiable information (PII) and selling it long before this information was made known to the public.
Cyber-criminals can of course use this information in many ways: Identity theft, or in crafting spear-phishing emails that may be sent to the victims of the breach. They would use the PII to make the email seem legitimate, thus leading to a malware infection.
“Attackers are going after our most sensitive data, which can be used to compromise consumer financial accounts, steal identities and [to] defraud the government,” said Eric Chiu, president and co-founder of HyTrust, in a comment to media. “It took over two months since detecting ‘suspicious activity’ for Medical Informatics Engineering (MIE) to confirm the breach, which usually means that the attack was from the inside, i.e. the attacker was on MIE’s network and had access to their systems and data.”
He added, “Every healthcare firm, large and small, that stores patient data is at risk of a breach and more needs to be done to protect consumers against these cyberattacks.”
Josh Cannell, malware intelligence analyst at Malwarebytes Labs, added that the breach is alarming given the apparent profile of the perpetrators.
“As other sources have also mentioned, authorities are also concerned that this information will be used to defraud the government, and they don’t even know how they’re doing it,” he added. “It’s clear this is very organized crime, and that the criminals are doing a good job at staying a step ahead of law enforcement in this area.”
Officials strongly advise hospitals and other healthcare facilities to make the transition as soon as possible.
The FDA says that the Symbiq Infusion System may still be for sale from third parties not associated with Hospira and strongly discourages the purchase of the pumps from these outlets.
Hospira says it will continue to work with the FDA to report any new information regarding cybersecurity threats, potential risks to patients and any additional steps that could be taken to protect them.
The investigation into the security breach is ongoing, MIE said.