Credit Card Breach at BJC Healthcare and PHI Breach at CCRM Dallas-Fort Worth

BJC HealthCare, a large not-for-profit healthcare network in the U.S., has discovered hackers uploaded malware to its patient portal which potentially allowed the interception of credit/debit card numbers entered into the payment portal.

BJC Healthcare discovered the breach on November 19, 2018 and immediately launched an investigation. The results of internal investigation showed that on October 25, 2018, the hacker uploaded malware to the payment portal. It’s possible that the hacker was able to intercept payment information until November 8, 2018. During that period, a total of 5,850 credit/debit card payments were processed.

According to BJC HealthCare, no compromise of Social Security numbers or healthcare data occurred. The breach only resulted in the exposure and possible theft of patients’ names, birth dates and addresses, together with the name, billing address, and credit card details or bank details of the individual making the payment.

Although the above information was possibly intercepted, BJC HealthCare has not receive any reports to indicate the attackers acquired and misused the data of any patient or payor. Nonetheless, all affected persons have been sent notifications and have been advised to check their credit card and bank statements for unauthorized transactions.

BJC Healthcare has already implemented further safeguards on its payment portal to improve protection against malware.

CCRM Dallas Fort Worth Data Breach Announced

The email account of a CCRM Dallas Fort Worth nurse has been accessed by an unauthorized person. The breach was discovered on October 4, 2018, after patients reported that they had received spam emails from the email account of the nurse.

CCRM Dallas-Fort Worth promptly deactivated the nurse’s email account and got in touch with its IT vendor who started an investigation. The investigators verified the unauthorized access of the account and that emails containing patient’s protected health information were potentially viewed.

The email account included an array of patient data such as names, addresses, email addresses, health insurance details, health data and healthcare histories, and some driver’s license numbers and Social Security numbers. Besides the use of the patients’ email addresses by the attacker, there is no other indication that their PHI was misused.

CCRM Dallas-Fort Worth has already reported the breach to the Department of Health and Human Services’ Office for Civil Rights. The OCR breach portal indicates 1,117 patients were impacted by the breach. Patients were informed by mail on December 3, 2018.