[BreachExchange] Credit Card System Hack Led to HIPAA Breach Report

Tue Dec 11 08:54:55 EST 2018

https://www.databreachtoday.com/credit-card-system-hack-led-to-hipaa-breach-report-a-11830

The hacking of a credit card processing system has prompted a Texas
hospital to notify federal regulators and nearly 48,000 affected
individuals of a breach as required by the HIPAA Breach Notification
Rule.

Although credit card breaches are relatively rare in the healthcare
sector, another card-related breach reported in August by
Arizona-based Banner Health opened the door to the exposure of data on
millions of individuals.

Payment-related security incidents qualify as reportable breaches
under the HIPAA Breach Notification Rule because they involve the
exposure of identifiers that are considered protected health
information, notes privacy attorney Kirk Nahra of the law firm Wiley
Rein.

In a statement, Baylor Scott & White Medical Center - Frisco says that
on Sept. 29, the Texas hospital discovered an issue with a third-party
vendor's credit card processing system. The incident impacted patients
or guarantors whose payment information - including partial credit
card information - was potentially compromised.

Upon discovery of the incident, the hospital says it immediately
notified its vendor and terminated credit card processing through the
company. An investigation determined the inappropriate computer
intrusion occurred between Sept. 22 and 29, the hospital says.

The Department of Health and Human Services' HIPAA Breach Reporting
Tool website lists the breach as a hacking/IT incident reported on
Nov. 26 involving a network server and impacting 47,984 individuals.
Commonly called the "wall of shame," the HHS' Office for Civil Rights
website lists major health data breaches impacting 500 or more
individuals.

No Known Data Misuse

The hospital says there is no indication the exposed information has
been misused by unauthorized individuals or entities.

"It is important to note that the hospital's information and clinical
systems were not affected, and medical information was not
compromised. Social Security numbers and medical record information
were not accessed. No other Baylor Scott & White facility was
impacted," the statement adds.

Data that may have been accessed by hackers includes name, mailing
address, telephone number, date of birth, medical record number, date
of service, insurance provider information, account number, last four
digits of the credit card used for payment, the credit card CCV
number, type of credit card, date of recurring payment, account
balance, invoice number and status of transaction.

Keith Fricke, principal consultant at tw-Security, points out that
name, address, date of birth and medical record number are all
considered PHI under HIPAA.

The medical center is providing affected patients or guarantors with
one year of prepaid credit monitoring services, the statement notes.

The medical center is a joint venture managed by United Surgical
Partners International, or USPI, a provider of ambulatory surgery
services, the statement says.

A USPI spokeswoman would not comment to Information Security Media
Group about the Baylor Scott & White Medical Center - Frisco incident,
including declining to identify the credit card processing vendor
involved. Baylor Scott & White Medical Center - Frisco did not
immediately respond to ISMG's request to the hospital for comment.

Payment Card Incidents

Attacks targeting the payment card processing systems of retailers -
including high-profile attacks against Target and Home Depot - have
become common in recent years, but relatively few such breaches have
been revealed in the healthcare sector.

"Some credit card handling processes are completely removed from the
hospital's environment and handled on a third-party website that is
separate and distinct from the hospital's network," Fricke notes. "In
many cases, card data may be handled, processed or stored within the
hospital's network or systems. PCI-compliant systems process and
transmit information securely and also do not store card data -
encrypting or tokenizing the data if they do."

In the Banner Health back in August, however, attackers gained
unauthorized access to payment card processing systems at some of the
organization's food and beverage outlets, apparently also opening the
door to the attackers accessing a variety of healthcare-related
information on 3.7 million individuals.

Banner's notification statement noted the hack of card processing
systems exposed cardholders' names, card numbers, expiration dates and
verification codes as the data was being routed through the affected
systems. Cards used at affected outlets were affected, but card
transactions used to pay for medical services were not affected,
Banner said.