Malicious Code on Mission Health E-Commerce Websites Enabled Data Theft for 3 Years

Share this article on:

Mission Health in Western North Carolina has discovered malicious code has been installed on its e-commerce websites that were used by patients to purchase health products. The malicious code was capable of capturing payment information as it was entered on the websites. That information was then sent to an unauthorized third party.

The breach was discovered by Mission Health in June 2019. The breach investigation revealed the malicious code had been inserted into the genuine code of the website three years previously in March 2016. The affected websites were taken offline and are being rebuilt. At the time of writing, those websites are not operational.

Only limited information about the breach has been released and there is currently no substitute breach notification letter on the Mission Health website. It is unclear how the breach was discovered. Typically, when credit card information is stolen, credit card firms trace fraudulent activity back to a specific retailer or website and advise the company that their systems have been compromised. In such cases, the fraudulent activity is identified relatively quickly. It is unclear in this instance whether that occurred and why the breach took almost three years to detect.

The malicious code did not give the attackers access to any health information or medical records, only financial information such as credit card numbers, expiry dates, and CVV codes along with cardholders’ names and addresses. The breach only affected individuals who had purchased items on the e-commerce sites store.mission-health.org and shopmissionhealth.org. The main website used by the healthcare provider – missionhealth.org – was not affected by the breach.

Mission Health has reviewed all transactions that occurred during the period of time that the malicious code was present and notification letters were sent on October 11, 2019 to all individuals who made purchases on the affected websites. Those individuals have been provided with information on the steps they should take to secure their accounts and have been advised to monitor their accounts for signs of fraudulent activity. All affected individuals have been offered free membership to credit monitoring services for 12 months.

Author: HIPAA Journal

Share This Post On