Credit Card Breach at BJC Healthcare and PHI Breach at CCRM Dallas-Fort Worth

BJC HealthCare, a large not-for-profit healthcare network in the U.S., has discovered hackers uploaded malware to its patient portal which potentially allowed the interception of credit/debit card numbers entered into the payment portal.

BJC Healthcare discovered the breach on November 19, 2018 and immediately launched an investigation. The results of internal investigation showed that on October 25, 2018, the hacker uploaded malware to the payment portal. It’s possible that the hacker was able to intercept payment information until November 8, 2018. During that period, a total of 5,850 credit/debit card payments were processed.

According to BJC HealthCare, no compromise of Social Security numbers or healthcare data occurred. The breach only resulted in the exposure and possible theft of patients’ names, birth dates and addresses, together with the name, billing address, and credit card details or bank details of the individual making the payment.

Although the above information was possibly intercepted, BJC HealthCare has not receive any reports to indicate the attackers acquired and misused the data of any patient or payor. Nonetheless, all affected persons have been sent notifications and have been advised to check their credit card and bank statements for unauthorized transactions.

BJC Healthcare has already implemented further safeguards on its payment portal to improve protection against malware.

CCRM Dallas Fort Worth Data Breach Announced

The email account of a CCRM Dallas Fort Worth nurse has been accessed by an unauthorized person. The breach was discovered on October 4, 2018, after patients reported that they had received spam emails from the email account of the nurse.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

CCRM Dallas-Fort Worth promptly deactivated the nurse’s email account and got in touch with its IT vendor who started an investigation. The investigators verified the unauthorized access of the account and that emails containing patient’s protected health information were potentially viewed.

The email account included an array of patient data such as names, addresses, email addresses, health insurance details, health data and healthcare histories, and some driver’s license numbers and Social Security numbers. Besides the use of the patients’ email addresses by the attacker, there is no other indication that their PHI was misused.

CCRM Dallas-Fort Worth has already reported the breach to the Department of Health and Human Services’ Office for Civil Rights. The OCR breach portal indicates 1,117 patients were impacted by the breach. Patients were informed by mail on December 3, 2018.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/