[BreachExchange] Mission Health data breach: e-commerce site contained 'malicious code' for 3 years

Mon Oct 21 10:11:42 EDT 2019

https://www.citizen-times.com/story/news/local/2019/10/18/mission-health-data-breach-e-commerce-site-contained-malicious-code-for-3-years/4007997002/

ASHEVILLE – Mission Health has reached out to an unspecified number of
Western North Carolina residents after a data breach involving the
hospital system's e-commerce website.

The system owned by Nashville-based HCA Healthcare said it recently
"identified and addressed" a security incident involving information
consumers provided when making purchases in its online store. In an
Oct. 11 letter obtained by the Citizen Times, Mission said it
determined Sept. 13 that malicious code was inserted into its
website's legitimate code and was sending payment information to "an
unauthorized person."

The letter signed by Beth Cirillo, listed as an executive director and
HIPAA privacy officer of HCA's North Carolina Division, said malicious
code was present on its e-commerce sites — including
shopmissionhealth.org — from March 27, 2016 through June 26, 2019.

An internal review of all transactions made during that time period
found names, addresses, payment card numbers, expiration dates and CVV
codes "may have been captured by the unauthorized person(s),"
according to the letter. Cirillo said the breach did not involve
access to patient medical records or treatment information.

"We deeply regret any concern or inconvenience this incident may cause
you," the letter states.

In a statement, a Mission spokeswoman said the system takes the
privacy and security of information "very seriously." The statement
notes Mission sent letters to affected consumers —  though it does not
specify how many were impacted during the more than three years the
code was present in its systems.

Mission says it has taken steps to rectify the situation. To affected
customers, it is offering one free year of membership to a credit
monitoring service. It also has pulled down the online shop, which
included personal care items, over-the-counter medications and
vitamins, among other items, as well as childbirth, wellness and
weight management classes, the Internet Archive shows.

"The impacted website was not part of our primary missionhealth.org
site, and has been taken offline and is being completely rebuilt," the
spokeswoman said in an email.

Privacy Rights Clearinghouse, a nonprofit organization tracking data
breaches, estimates more than 9,100 data breaches have been made
public since 2005, containing more than 10.4 billion records that have
been exposed. In 2018, more than half of the breaches reported came
from the healthcare industry, including medical providers and medical
insurance services, the organization's database shows.

Earlier this year, North Carolina Attorney General Josh Stein was part
of an executive committee which coordinated a more than $700 million
payout from credit monitoring bureau Equifax after an investigation
found it did not maintain a "reasonable security system," leaving it
vulnerable to hacking.