Healthcare E-Commerce Site Breach Undetected for YearsMission Health Says Patient Medical Data Was Not Exposed
A North Carolina-based healthcare organization has reportedly discovered that malicious code had been contained on its e-commerce site for three years, sending consumers' payment information to unauthorized individuals.
In a Oct. 11 notification letter sent to affected individuals, Mission Health reportedly says it determined on Sept. 13 that malicious code was contained on its online store websites from March 27, 2016 through June 26, 2019 and was sending payment information to unauthorized persons, says local news site Citizen Times.
In a statement to Information Security Media Group, the Asheville, N.C.-based healthcare system confirmed that it recently identified and addressed a security incident "that may have involved some of the information consumers provided when making purchases on the Mission Health eCommerce website, either at store.mission-health.org or shopmissionhealth.org."
Mission Health did not immediately confirm for ISMG other media reports that the malicious code existed for three years on its ecommerce site before being discovered. Mission Health also did not immediately comment on why it took so long to discover the malware, or how many individuals were potentially affected.
"We conducted a comprehensive review of all transactions made on the site during the timeframe of the incident, and have sent letters to consumers whose data may have been impacted," Mission Health says in its statement to ISMG.
"This was not a site that contained patient data, but was simply an online store where consumers bought general health-related products," Mission Health added.
Citizen Times reported that Mission Health's notification letters to affected individuals said impacted information included names, addresses, payment card numbers, expiration dates and CVV codes.
Other healthcare sector entities have also had delayed discoveries of breaches that lasted for years.
In one extreme case, Dominion National, an Arlington, Virginia-based vision and dental insurer revealed in June that it had only recently discovered a nine-year-old security incident involving unauthorized access to its computer servers.
A recent study by IBM found that, on average, companies take about 206 days to identify a breach and 73 days to contain it.
But longer lags in detecting breaches are not unusual.
For example, the 2014 cyberattack on health insurer Anthem that resulted in a data breach impacting nearly 79 million individuals was determined to have started nearly a year before it was detected and disclosed (see: Analysis: Did Anthem's Security Certification Have Value?).
Why So Long?
An important lesson to be learned from the Mission Health incident is that any organization that handles personally identifiable information should perform technical security assessments to ensure that it has effective information security practices and safeguards, says privacy attorney David Holtzman of the security consultancy CynergisTek.
"The greater the sensitivity of the data, the more comprehensive and thorough the examination. Just as important is to require vendors perform assessments of their information security practices and safeguards to ensure your organization's personally identifiable data is adequately protected from unauthorized access and disclosure," he says.
Some measures can help detect the presence of malicious code sooner, including conducting penetration testing, a web application assessment, or static code analysis, Holtzman notes. "Employing a third party monitoring service or content delivery network would likely have detected suspicious network activity," he adds.
"Generally, developers and vendors that operate an internet website that handles personally identifiable information should put into place reasonable security measures to ensure that the data is protected from unauthorized access and disclosure."
Kate Borten, president of privacy and security consulting firm The Marblehead Group says she's surprised the Mission Health ecommerce compromise was not discovered sooner.
"It's puzzling that a fraudulent purchase and billing transaction didn't get picked up promptly," she says.
"If I buy a product, I expect delivery and would follow up if it weren't received. On the other hand, if I receive a product but the vendor doesn't get paid, won't they pursue that with me? It may be that the organization treated each incident as a one-off situation and never put them together to suspect fraud."
Borten adds: "Surely some of the affected individuals should have concluded their credit cards were used fraudulently in conjunction with the Mission Health website."
The incident does not appear to be a HIPAA breach, despite involving a healthcare entity, Borten says. "It was a public website not restricted to Mission Health patients," she notes. However, the incident triggers various state breach notification requirements.