Cybersecurity and 3rd Party Attacks
All is relatively well here at Woesnotgone Meadow, where everyone has above average bandwidth.
Baylor Scott & White Medical Center is located in Texas. This is far from the northern region where the Meadow is located and the winter is long and cold. The medical center was organized as a joint venture managed by the United Surgical Partners International (USPI). As we know from the prior attacks on medical facilities and offices, these are rather blatant targets due to several factors, including the cash flow through the facility, and let us not forget the medical records themselves.
The facility’s credit card processing was done by a 3rd party. This same credit card system was breached. The attackers sought to secure the patient’s and guarantor’s payment and credit card data. The hospital detected the attack on September 29, 2018. The breach, while significant, was open from September 22 – 29.
The issue was with the 3rd party’s credit card processing system. This is not a new concept for the attacker’s. This same vector has been exploited a number of times over the years. One of the larger and more prolific breaches in recent memory occurred using this method. The timing for this was near the end of the year holiday season, with Target being breached. One of their vendors, who had access to the Target system, had a corrupt system, which allowed the attack in.
The breach affected 47,984 persons. These were the patients and/or the guarantors. The medical practice reported the issue to the US Department of Health and Human Services. Per the HIPAA breach notification rule, the affected persons were notified with letters. Fortunately for the patients and guarantors, there has been no evidence to date the data had been misused. Although this is good news, the attackers may use the data at a later point in time, until the payment information changes.
The data that may have been accessed by the attackers includes the name, mailing address, telephone number, date of birth, medical record number, date of service, insurance provider information, account number, last four digits of the credit card used, the credit card CCV number, type of credit card, date of recurring payment, account balance, invoice number, and status of transaction. While the credit card information would need to be used prior to the credit cards being replaced, the data in its entirety could be used with phishing for the longer term. This could also be used for fraudulent transactions and potentially for identity theft for the skilled phishers. A positive point with this is the data did not include the social security numbers or medical record information.
Although the data is inherently pertinent, the attack could have been much worse. The hospital’s systems other systems were not affected by this.
Once the breach was detected, the hospital notified the vendor and terminated the credit card processing handled by the vendor. The medical center is providing a one year free credit monitoring service for the affected parties.
Thanks for visiting Woesnotgone Meadow, where the encryption is strong, and the O/Ss are always using the latest version.
CBS DFW. (2018, December 10). Data breach could impact 47k patients treated at north texas hospital. Retrieved from https://dfw.cbslocal.com/2018/12/10/data-breach-texas-hospital/
Cyware. (2018, December 11). Data breach at baylor scott & white medical center impacts nearly 47,000 patients. Retrieved from https://cyware.com/news/data-breach-at-baylor-scott-white-medical-center-impacts-nearly-47000-patients-646520aa
Davis, J. (2018, December 11). Third-party vendor hack breaches 48,000 baylor frisco patients. Retrieved from https://healthitsecurity.com/news/third-party-vendor-hack-breaches-48000-baylor-frisco-patients
Dissent. (2018, December 10). Baylor Scott & White Medical Center-Frisco notifies 47,000 patients after third-party bill payment vendor was hacked. Retrieved from https://www.www.databreaches.net/baylor-scott-white-medical-center-frisco-notifies-47000-patients-after-third-party-bill-payment-vendor-was-hacked/
McGee, M.K. (2018, December 10). Credit card system hack led to HIPAA breach report. Retrieved from https://www.databreachtoday.com/credit-card-system-hack-led-to-hipaa-breach-report-a-11830
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.