This article originally appeared in SC Magazine on December 11, 2018.
A breach discovered September 29 at Baylor Scott & White Medical Center – Frisco may have compromised the payment information of about 47,000 patients or guarantors.
The hospital said the issue originated with a third party’s credit card processing system, prompting it to terminate credit card processing through that vendor. A follow-up investigation found that the information – including names, mailing addresses, birth dates, telephone numbers, date of birth,medical record numbers, insurance provider data, dates of service, account numbers, credit card types, last four digits of the credit cards, CCV numbers, recurring payment dates, account balances and invoice numbers – may have been accessed between Sept. 22 – Sept. 29 but produced no evidence that the information was disclosed or used by others.
“It is important to note that the hospital’s information and clinical systems were not affected, and medical information was not compromised. Social Security numbers and medical record information were not accessed,” the hospital said in an alert, noting that no other facility in the Baylor Scott & White system had been affected.
“Medical-related data breaches are lucrative because malicious actors can try to sell data to advertisers based on health conditions,” said Justin Jett, director of audit and compliance for Plixer. “While credit card systems don’t contain information relating to specific medical data, it does leak information about which providers a patient has visited, which is protected under HIPAA.”
Mike Bittner, digital security and operations manager of The Media Trust, pointed out that “credit card-related hacks are happening with rising frequency because when successful they provide bad actors with a trove of information they can immediately exploit, use in later attacks, or sell in the black market.”
Hackers understand that third parties often are involved in processing the information. “To the formers’ benefit, the latter often have weak security postures and provide a trusted connection to their clients’systems — factors that make them ideal targets,” he said, calling for industry standards like PCI DSS and HIPAA that promote data privacy and security to “address the risks that third parties pose, especially as outsourcing payment processes and website management have become the norm.”