Texas Hospital Discloses Third-Party Breach
The payment information of more than 47,000 patients was potentially compromised after the Baylor Scott & White Medical Center in Frisco, Texas, suffered a third-party data breach, according to the hospital’s notice of a data security incident.
The hospital disclosed that it had sent letters to more than 47,000 patients and guarantors, alerting them to the possibility that their payment information, which could include partial credit card information, might have been compromised. “Medical-related data breaches are lucrative because malicious actors can try to sell data to advertisers based on health conditions,” said Justin Jett, director of audit and compliance for Plixer.
The disclosure notice states: “On September 29, 2018, the hospital discovered an issue with a third-party vendor’s credit card processing system. The hospital immediately notified the vendor and terminated credit card processing through them. An investigation determined the inappropriate computer intrusion occurred between September 22-29, 2018. There is no indication the information has been further disclosed or misused by any other unauthorized individuals or entities.”
While the hospital’s information and clinical systems were not impacted and no medical information was compromised, the data that might have been accessed includes names, address and date of birth, as well as medical record numbers and the dates of service. Insurance provider information and account numbers, along with the last four digits of the credit card, account balances and invoice numbers, could also be among the information compromised in the data breach.
“The Baylor Scott and White Medical Center-Frisco felt firsthand the effects of a third-party breach, as they were forced to notify over 47,000 patients that their payment information had been exposed,” said Fred Kneip, CEO, CyberGRX. “We are at a pivotal point in the evolution of cyber-attacks, where organizations are called to move beyond previous, static approaches to third-party cyber-risk management that are unable to scale with our growing ecosystems. As a result, the industry must foster collaboration across the board, where organizations work with their third parties to mitigate risk before they become a target for attackers.”
Source: Information Security Magazine