Malicious software that compromised the online payment portal of BJC Healthcare in St. Louis has the organization notifying 5,850 affected individuals.
Credit card information entered into the payment portal potentially could have been exposed. BJC learned of the breach on November 19. An internal investigation found that the malware permitted electronic collection of patient information in the portal from October 25 through November 8.
The media notification letter did not include an offer of credit or identity theft protection services for affected individuals; BJC did not respond to a question on whether such services would be offered.
Individuals making the payments were mailed a letter, explaining the incident and including recommended precautions for securing their health and financial information.
“BJC has no indication to date that any information was actually misused,” the provider noted in the letter. As a precaution, individuals whose payment information may have been exposed are advised to carefully review credit card and bank statements and immediately contact their credit card holder or banking institution about any inconsistencies or suspicious activity.”
Social Security numbers and medical information were not affected by the attack but other information that may be comprised include names, dates of birth, billing account number, information of individuals making the payment, addresses, and credit card or bank account information.
BJC apologized to affected patients and families, a practice which the HHS Office for Civil Rights is strongly encouraging. Since the incident, BJC has implemented additional safeguards against malware.