Credit Card System Hack Led to HIPAA Breach ReportBaylor Scott & White Medical Center - Frisco Notifying Those Affected
The hacking of a credit card processing system has prompted a Texas hospital to notify federal regulators and nearly 48,000 affected individuals of a breach as required by the HIPAA Breach Notification Rule.
See Also: HIPAA Audits: A Revised Game Plan
Although credit card breaches are relatively rare in the healthcare sector, another card-related breach reported in August by Arizona-based Banner Health opened the door to the exposure of data on millions of individuals.
Payment-related security incidents qualify as reportable breaches under the HIPAA Breach Notification Rule because they involve the exposure of identifiers that are considered protected health information, notes privacy attorney Kirk Nahra of the law firm Wiley Rein.
In a statement, Baylor Scott & White Medical Center - Frisco says that on Sept. 29, the Texas hospital discovered an issue with a third-party vendor's credit card processing system. The incident impacted patients or guarantors whose payment information - including partial credit card information - was potentially compromised.
Upon discovery of the incident, the hospital says it immediately notified its vendor and terminated credit card processing through the company. An investigation determined the inappropriate computer intrusion occurred between Sept. 22 and 29, the hospital says.
The Department of Health and Human Services' HIPAA Breach Reporting Tool website lists the breach as a hacking/IT incident reported on Nov. 26 involving a network server and impacting 47,984 individuals. Commonly called the "wall of shame," the HHS' Office for Civil Rights website lists major health data breaches impacting 500 or more individuals.
No Known Data Misuse
The hospital says there is no indication the exposed information has been misused by unauthorized individuals or entities.
"It is important to note that the hospital's information and clinical systems were not affected, and medical information was not compromised. Social Security numbers and medical record information were not accessed. No other Baylor Scott & White facility was impacted," the statement adds.
Data that may have been accessed by hackers includes name, mailing address, telephone number, date of birth, medical record number, date of service, insurance provider information, account number, last four digits of the credit card used for payment, the credit card CCV number, type of credit card, date of recurring payment, account balance, invoice number and status of transaction.
Keith Fricke, principal consultant at tw-Security, points out that name, address, date of birth and medical record number are all considered PHI under HIPAA.
The medical center is providing affected patients or guarantors with one year of prepaid credit monitoring services, the statement notes.
The medical center is a joint venture managed by United Surgical Partners International, or USPI, a provider of ambulatory surgery services, the statement says.
A USPI spokeswoman would not comment to Information Security Media Group about the Baylor Scott & White Medical Center - Frisco incident, including declining to identify the credit card processing vendor involved. Baylor Scott & White Medical Center - Frisco did not immediately respond to ISMG's request to the hospital for comment.
Payment Card Incidents
Attacks targeting the payment card processing systems of retailers - including high-profile attacks against Target and Home Depot - have become common in recent years, but relatively few such breaches have been revealed in the healthcare sector.
"Some credit card handling processes are completely removed from the hospital's environment and handled on a third-party website that is separate and distinct from the hospital's network," Fricke notes. "In many cases, card data may be handled, processed or stored within the hospital's network or systems. PCI-compliant systems process and transmit information securely and also do not store card data - encrypting or tokenizing the data if they do."
In the Banner Health back in August, however, attackers gained unauthorized access to payment card processing systems at some of the organization's food and beverage outlets, apparently also opening the door to the attackers accessing a variety of healthcare-related information on 3.7 million individuals.
Banner's notification statement noted the hack of card processing systems exposed cardholders' names, card numbers, expiration dates and verification codes as the data was being routed through the affected systems. Cards used at affected outlets were affected, but card transactions used to pay for medical services were not affected, Banner said.