Security breach at HISD vendor compromises some employee data

The Houston Independent School District recently learned of a data breach that affected one of the district’s vendors, Medical Informatics Engineering (MIE). MIE is a medical records company that works with Concentra, which operates the district’s two onsite health clinics.

MIE has mailed letters to affected employees about the security breach, along with information about how to sign up for two years of free credit monitoring and identity restoration services.

Below is information employees need to know about the data breach and next steps to take.

What happened?
An unauthorized person or group was able to access records of a significant number of current and former HISD employees and their dependents. The breach took place at Medical Informatics Engineering (MIE), a company which electronically stores medical records. Concentra, the vendor HISD uses to provide staffing and operational management of HISD’s two onsite health clinics, is a client of Medical Informatics Engineering.

Why did MIE have HISD employee information?
HISD provides employee information, including that of dependents, to Concentra to determine eligibility to use our onsite health clinics. MIE was contracted by Concentra to store those electronic records.

How do I know if I am affected?
MIE mailed letters on or before July 25, 2015, to affected individuals for whom they had a valid mailing address.

If an employee believes they were affected by this incident but either lost letter or have not received the notice letter by Aug. 15, 2015, call the toll free hotline: 866-328-1987, which is open 8 a.m.-8 p.m. Monday-Friday, except for holidays.

What information was compromised/stolen?
Representatives said the data breach involved personal information that varies by individual. The affected data may include the individual’s name, Social Security number, telephone number, mailing address, username, password, security question and answer, spousal information (name and potentially date of birth), email address, date of birth, lab results, health insurance policy information, diagnosis, disability code, doctor’s name, medical conditions, and child’s name and birth statistics.

If a person’s medical records were compromised, it will be listed on the letter that was mailed to the affected individuals.

What is HISD doing about the data breach and preventing future incidents?
HISD has been in contact with Concentra representatives, which have said MIE is enhancing the security of their networks and increasing monitoring of those networks to prevent future attacks. MIE also is working with the FBI’s Cyber Squad, which is conducting an investigation.

In addition, HISD is in the process of reviewing which outside vendors have employee information, how to best limit the amount of personal information necessary, and ensure it is as secure as possible.

What can I do to protect myself?
MIE is offering a complimentary two-year subscription to Experian’s credit monitoring and identity restoration service to affected individuals. Information on how to sign up for this service was included in the letter mailed to employees’ homes. The activation code for each individual is personalized, so employees will need the letter to begin the credit monitoring/identity restoration service. If they do not have the letter, employees can call a toll-free hotline at 866-328-1987 for assistance in obtaining their activation code. The deadline to sign up for the complimentary service is Oct. 25, 2015.

However, all employees are encouraged to closely monitor their financial accounts and monitor credit reports for suspicious activity. Under U.S. law, individuals are entitled to one free credit report annually from each of the three major credit reporting bureaus, Equifax, Experian, and TransUnion. To order the free credit report, go to www.annualcreditreport.com or call 877-322-8228.

Employees also can visit the Federal Trade Commission’s website, which provides recommended actions in the case someone’s personal information has been lost or exposed.

Are there any other services the district offers to help me?
Additional support is available for employees who are enrolled in the Personal Legal Plan (Hyatt Legal Plans, 800-821-6400), which offers identity theft restoration services. The district’s Employee Assistance Program (Aetna Resources for Living, 855-574-4473), which is available to all employees at no cost, also offers assistance with financial issues.