An Indiana medical software company says a data breach earlier this year has impacted 1.5 million people in Indiana, including 28,000 Indiana University employees.
Medical Informatics Engineering reported the data to the US Department of Health and Human Services this week.
Officials say the breach of the company's NoMoreClipboard service exposed personal data including birth dates, addresses and phone numbers — but a number of users may have had their social security numbers compromised.
While much of the data exposed might not appear valuable or private, cybersecurity expert Fred Cate says hackers can still use it to their advantage by compiling the information and then pretending to be someone they’re not.
“For example, some of the simplest information, like if I know the names of your kids, I might say, ‘Hi, I’m your kids’ teacher at X school, and I want you to follow up about Bobby. To find out about him, you need to log in to your account.’ Now you give me your log-in credentials, and I’m off to the races,” Cate says.
Indiana Attorney General Greg Zoeller last week urged all Hoosiers to freeze their credit. Cate says while that might seem like overkill, it can actually be good solution for some people.
And he says it’s unlikely a lawsuit against Medical Informatics Engineering would get very far. He says previous lawsuits against companies who have experienced data breaches have not historically been successful.