Credit Card Numbers Exposed in BJC Healthcare Breach

BJC HealthCare, one of the largest not-for-profit healthcare networks in the United States, has discovered hackers have gained access to the website hosting its patient portal and have uploaded malware that potentially intercepted credit/debit card numbers as they were entered in the payment portal.

The breach was discovered on November 19, 2018. The internal investigation revealed malware had been uploaded to the payment portal on October 25, 2018 and payment information may have been intercepted until November 8, 2018. During that time, 5,850 credit/debit card payments had been processed.

BJC HealthCare reports that no Social Security numbers or medical information was compromised. The breach was limited to patients’ names, addresses, and dates of birth, along with the name, billing address, and credit card information or bank information of the person making the payment.

While the above information was potentially intercepted, BJC HealthCare has not received any reports to suggest the attackers obtained and misused patients’ or payors’ data. However, all affected individuals have been advised to carefully monitor their bank and credit card statements for any unauthorized payments.

BJC Healthcare has now implemented additional security controls on its payment portal that provide enhanced protection against malware. All affected patients have been notified of the breach by mail and the incident has been reported to appropriate authorities.

CCRM Dallas-Fort Worth Notifies 1,117 Patients of Email Account Breach

The email account of a nurse at CCRM Dallas Fort Worth has been accessed by an unauthorized individual. The email account breach was detected on October 4, 2018, following reports from patients who had received spam emails from the nurse’s account.

CCRM Dallas-Fort Worth immediately deactivated the email account and contacted its IT vendor who launched an investigation. It was confirmed that the account had been accessed and emails containing patient’s protected health information may have been viewed by the attacker.

The email account contained a range of patient information including names, addresses, email addresses, health insurance information, health information and medical histories, and a limited number of Social Security numbers and driver’s license numbers.

Aside from patients’ email addresses being used by the attacker, no other evidence of PHI misuse has been discovered.

The incident has been reported to the Department of Health and Human Services’ Office for Civil Rights. The breach portal entry indicates 1,117 patients have been affected by the breach. Patients affected by the breach were notified by mail on December 3, 2018.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.