Incident & Breach Response , Managed Detection & Response (MDR) , PCI Standards

Credit Card System Hack Led to HIPAA Breach Report

Baylor Scott & White Medical Center - Frisco Notifying Those Affected
Credit Card System Hack Led to HIPAA Breach Report
Baylor Scott & White Medical Center - Frisco reported a breach involving a credit card processing system.

The hacking of a credit card processing system has prompted a Texas hospital to notify federal regulators and nearly 48,000 affected individuals of a breach as required by the HIPAA Breach Notification Rule.

See Also: Secureworks Named a Major Player in the 2024 IDC MDR Marketscape

Although credit card breaches are relatively rare in the healthcare sector, another card-related breach reported in August by Arizona-based Banner Health opened the door to the exposure of data on millions of individuals.

Payment-related security incidents qualify as reportable breaches under the HIPAA Breach Notification Rule because they involve the exposure of identifiers that are considered protected health information, notes privacy attorney Kirk Nahra of the law firm Wiley Rein.

In a statement, Baylor Scott & White Medical Center - Frisco says that on Sept. 29, the Texas hospital discovered an issue with a third-party vendor's credit card processing system. The incident impacted patients or guarantors whose payment information - including partial credit card information - was potentially compromised.

Upon discovery of the incident, the hospital says it immediately notified its vendor and terminated credit card processing through the company. An investigation determined the inappropriate computer intrusion occurred between Sept. 22 and 29, the hospital says.

The Department of Health and Human Services' HIPAA Breach Reporting Tool website lists the breach as a hacking/IT incident reported on Nov. 26 involving a network server and impacting 47,984 individuals. Commonly called the "wall of shame," the HHS' Office for Civil Rights website lists major health data breaches impacting 500 or more individuals.

No Known Data Misuse

The hospital says there is no indication the exposed information has been misused by unauthorized individuals or entities.

"It is important to note that the hospital's information and clinical systems were not affected, and medical information was not compromised. Social Security numbers and medical record information were not accessed. No other Baylor Scott & White facility was impacted," the statement adds.

Data that may have been accessed by hackers includes name, mailing address, telephone number, date of birth, medical record number, date of service, insurance provider information, account number, last four digits of the credit card used for payment, the credit card CCV number, type of credit card, date of recurring payment, account balance, invoice number and status of transaction.

Keith Fricke, principal consultant at tw-Security, points out that name, address, date of birth and medical record number are all considered PHI under HIPAA.

The medical center is providing affected patients or guarantors with one year of prepaid credit monitoring services, the statement notes.

The medical center is a joint venture managed by United Surgical Partners International, or USPI, a provider of ambulatory surgery services, the statement says.

A USPI spokeswoman would not comment to Information Security Media Group about the Baylor Scott & White Medical Center - Frisco incident, including declining to identify the credit card processing vendor involved. Baylor Scott & White Medical Center - Frisco did not immediately respond to ISMG's request to the hospital for comment.

Payment Card Incidents

Attacks targeting the payment card processing systems of retailers - including high-profile attacks against Target and Home Depot - have become common in recent years, but relatively few such breaches have been revealed in the healthcare sector.

"Some credit card handling processes are completely removed from the hospital's environment and handled on a third-party website that is separate and distinct from the hospital's network," Fricke notes. "In many cases, card data may be handled, processed or stored within the hospital's network or systems. PCI-compliant systems process and transmit information securely and also do not store card data - encrypting or tokenizing the data if they do."

In the Banner Health back in August, however, attackers gained unauthorized access to payment card processing systems at some of the organization's food and beverage outlets, apparently also opening the door to the attackers accessing a variety of healthcare-related information on 3.7 million individuals.

Banner's notification statement noted the hack of card processing systems exposed cardholders' names, card numbers, expiration dates and verification codes as the data was being routed through the affected systems. Cards used at affected outlets were affected, but card transactions used to pay for medical services were not affected, Banner said.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.