Indiana University Health

Your Personal Info Could Be

Exposed Online After

This Hospital Breach

Breach Description

Indiana University Health (IU Health) experienced a data security incident involving one of its vendors, Nuance Communications, which was discovered to have a data security incident involving its use of MOVEit transfer software. The breach occurred between May 28 and 29, 2023, and affected patients who received radiology services at IU Health. The compromised data included patients’ names, service dates, reasons for visits, and descriptions of services[1].

Additionally, IU Health was affected by a third-party cybersecurity attack at TMG Health, Inc., which resulted in the exposure of names, member identification numbers, effective dates of plans, and banking account and routing numbers of certain individuals. This incident was a result of a vulnerability in the MOVEit file transfer software developed by Progress Software, and unauthorized downloads of certain files from TMG’s MOVEit server occurred between May 30 and June 2, 2023[2][4][7][9][11].

IU Health began sending out data breach notification letters to affected individuals on August 4, 2023. TMG Health, which provides outsourcing solutions for Medicare Advantage, Medicare Part D, and Managed Medicaid plans, has offered free credit monitoring to the victims of the breach[2][4][7][9][11].

Nuance Communications has since implemented new security measures to strengthen the security of its IT system environments and has set up a dedicated call center to answer questions about the incident[1]. IU Health has also taken steps to collaborate closely with its vendor, TMG, to strengthen their systems and prevent future unauthorized activities[7].

This incident is one of several data breaches that IU Health has experienced over the years, including a previous breach in 2016 at IU Health Arnett Hospital involving the loss of an unencrypted flash drive that potentially exposed the Protected Health Information of 29,324 patients[3].

Citations:

  1. https://fox59.com/indiana-news/indiana-university-health-reports-data-security-incident-pertaining-to-one-of-its-vendors/
  2. https://www.myinjuryattorney.com/indiana-university-health-data-breach-investigation/
  3. https://www.hipaajournal.com/iu-health-security-breach-29k-8252/
  4. https://www.jdsupra.com/legalnews/indiana-university-health-reports-data-2164719/
  5. https://www.heraldtimesonline.com/story/news/healthcare/2022/06/22/indiana-university-health-mcg-data-breach-what-should-patients-do/7686747001/
  6. https://cybernews.com/news/indiana-university-data-breach/
  7. https://iuhealth.org/for-media/press-releases/iu-health-plans-reports-notice-of-moveit-data-security-incident-involving-its-vendor-tmg-health
  8. https://healthitsecurity.com/news/indiana-ag-sues-iu-health-for-violating-patient-privacy-of-10-year-old-rape-victim
  9. https://fox59.com/indiana-news/iu-health-plans-report-data-security-breach-from-vendor/
  10. https://radiologybusiness.com/topics/health-it/enterprise-imaging/pacs/nuance-notifying-radiology-patients-after-data-security-incident
  11. https://www.beckershospitalreview.com/cybersecurity/iu-health-another-victim-in-moveit-breach.html
  12. https://www.databreachtoday.com/indiana-university-reports-breach-a-6579
  13. https://www.wthr.com/article/news/local/iu-health-reports-data-breach-involving-vendor-tmg/531-c1b2c9ff-07c2-4571-a463-9e171badadef
  14. https://www.indystar.com/story/news/health/2023/12/11/indiana-systems-falling-prey-increasing-hacks-into-medical-records/71752996007/
  15. https://www.wfyi.org/news/articles/a-data-breach-exposed-private-health-information-of-more-than-200000-medicaid-clients-in-indiana
Breach Submission Date Sep 22, 2023
Converted Entity Name Indiana University Health
Converted Entity Type Healthcare Provider
State IN
Individuals Affected 4,194
Breach Type Hacking/IT Incident

Breach Information Location Network Server

Business Associate Present Yes