HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Malicious Code on Mission Health E-Commerce Websites Enabled Data Theft for 3 Years

Mission Health in Western North Carolina has discovered malicious code has been installed on its e-commerce websites that were used by patients to purchase health products. The malicious code was capable of capturing payment information as it was entered on the websites. That information was then sent to an unauthorized third party.

The breach was discovered by Mission Health in June 2019. The breach investigation revealed the malicious code had been inserted into the genuine code of the website three years previously in March 2016. The affected websites were taken offline and are being rebuilt. At the time of writing, those websites are not operational.

Only limited information about the breach has been released and there is currently no substitute breach notification letter on the Mission Health website. It is unclear how the breach was discovered. Typically, when credit card information is stolen, credit card firms trace fraudulent activity back to a specific retailer or website and advise the company that their systems have been compromised. In such cases, the fraudulent activity is identified relatively quickly. It is unclear in this instance whether that occurred and why the breach took almost three years to detect.

The malicious code did not give the attackers access to any health information or medical records, only financial information such as credit card numbers, expiry dates, and CVV codes along with cardholders’ names and addresses. The breach only affected individuals who had purchased items on the e-commerce sites store.mission-health.org and shopmissionhealth.org. The main website used by the healthcare provider – missionhealth.org – was not affected by the breach.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

Mission Health has reviewed all transactions that occurred during the period of time that the malicious code was present and notification letters were sent on October 11, 2019 to all individuals who made purchases on the affected websites. Those individuals have been provided with information on the steps they should take to secure their accounts and have been advised to monitor their accounts for signs of fraudulent activity. All affected individuals have been offered free membership to credit monitoring services for 12 months.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.