An Indiana medical software company has reported the private information of 3.9 million people nationwide was exposed when its networks were hacked earlier this year, the U.S. Department of Health and Human Services said Monday.
Medical Informatics Engineering reported the number of people affected by the hack to the federal agency on July 23.
The Fort Wayne company announced June 10 that the attack on its main network and its NoMoreClipboard network began May 7 and was detected May 26. The company said the exposed information includes names, addresses, birthdates, Social Security numbers and health records.
A notice posted on the company's website said the hack affected patients of 11 health care providers. They include Texas-based Concentra, which operates more than 300 medical centers in 38 states; Franciscan St. Francis Health Indianapolis; and Rochester Medical Group in the Detroit area.
The hack also affected patients served by 44 hospitals and other radiology centers in Indiana, Ohio and Michigan, the notice said. The providers included the Indiana and Purdue university medical centers in Bloomington and West Lafayette, respectively.
An investigation by a team of third-party experts "indicates this is a sophisticated cyber attack," the notice said.
Medical Informatics Engineering has offered free credit monitoring and identity protection services to affected individuals for two years. The company said it began mailing notice letters to affected individuals for whom it has a valid postal address on July 17.
Indiana Attorney General Greg Zoeller has urged all state residents to freeze their credit in the wake of the hack. He said his office is investigating the breach.
A list of affected providers can be found online.