BJC HealthCare have announced that the details of nearly 6,000 credit cards were compromised following a cybersecurity incident.
BJC HealthCare, based in Missouri, discovered the breach on November 19, 2018. Hackers were discovered to have gained unauthorised access to the website hosting its patient portal, and used this access to upload malware that potentially intercepted credit/debit card numbers as they were entered in the payment portal.
Once the breach was discovered, an investigation was launched to investigate the extent of the attack. It was revealed that the malware had been uploaded to the payment portal on October 25, 2018 and payment information may have been intercepted until November 8, 2018. During that time, 5,850 credit/debit card payments had been processed.
The information compromised in the breach included patients’ names, addresses, and dates of birth, along with the name, billing address, and credit card information or bank information of the person making the payment. No Social Security numbers or medical information is known to have been compromised.
In a statement, BJC HealthCare said that they have yet to uncover any evidence to suggest the attackers obtained and misused patients. Furthermore, they have yet to receive reports from individuals affected by the breach that they have been victims of any kind of fraud. However, particularly due to the nature of the data compromised in the breach, vigilance is advised. All affected individuals have been advised to carefully monitor their bank and credit card statements for any unauthorized payments.
BJC Healthcare has now implemented additional security controls on its payment portal that provide enhanced protection against malware. In accordance with HIPAA’s Breach Notification Rule, all affected patients have been notified of the breach by mail and the incident has been reported to appropriate authorities.
BJC HealthCare is one of the United State’s largest not-for-profit healthcare networks, servicing 15 hospitals and around 26,000 staff members.
This is the second major data security incident to affect BJC HealthCare this year; in March, it was discovered that the PHI of over 33,000 patients had been easily accessible online without the need for user authentication due to a misconfigured server. The information was available online for nearly 8 months.