BreachExchange mailing list archives
Mission Health data breach: e-commerce site contained 'malicious code' for 3 years
From: Destry Winant <destry () riskbasedsecurity com>
Date: Mon, 21 Oct 2019 09:11:42 -0500
https://www.citizen-times.com/story/news/local/2019/10/18/mission-health-data-breach-e-commerce-site-contained-malicious-code-for-3-years/4007997002/ ASHEVILLE – Mission Health has reached out to an unspecified number of Western North Carolina residents after a data breach involving the hospital system's e-commerce website. The system owned by Nashville-based HCA Healthcare said it recently "identified and addressed" a security incident involving information consumers provided when making purchases in its online store. In an Oct. 11 letter obtained by the Citizen Times, Mission said it determined Sept. 13 that malicious code was inserted into its website's legitimate code and was sending payment information to "an unauthorized person." The letter signed by Beth Cirillo, listed as an executive director and HIPAA privacy officer of HCA's North Carolina Division, said malicious code was present on its e-commerce sites — including shopmissionhealth.org — from March 27, 2016 through June 26, 2019. An internal review of all transactions made during that time period found names, addresses, payment card numbers, expiration dates and CVV codes "may have been captured by the unauthorized person(s)," according to the letter. Cirillo said the breach did not involve access to patient medical records or treatment information. "We deeply regret any concern or inconvenience this incident may cause you," the letter states. In a statement, a Mission spokeswoman said the system takes the privacy and security of information "very seriously." The statement notes Mission sent letters to affected consumers — though it does not specify how many were impacted during the more than three years the code was present in its systems. Mission says it has taken steps to rectify the situation. To affected customers, it is offering one free year of membership to a credit monitoring service. It also has pulled down the online shop, which included personal care items, over-the-counter medications and vitamins, among other items, as well as childbirth, wellness and weight management classes, the Internet Archive shows. "The impacted website was not part of our primary missionhealth.org site, and has been taken offline and is being completely rebuilt," the spokeswoman said in an email. Privacy Rights Clearinghouse, a nonprofit organization tracking data breaches, estimates more than 9,100 data breaches have been made public since 2005, containing more than 10.4 billion records that have been exposed. In 2018, more than half of the breaches reported came from the healthcare industry, including medical providers and medical insurance services, the organization's database shows. Earlier this year, North Carolina Attorney General Josh Stein was part of an executive committee which coordinated a more than $700 million payout from credit monitoring bureau Equifax after an investigation found it did not maintain a "reasonable security system," leaving it vulnerable to hacking. _______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- Mission Health data breach: e-commerce site contained 'malicious code' for 3 years Destry Winant (Oct 21)