– Malicious code embedded on Mission Health’s store website directed payment information to an unauthorized individual and went undetected for three years, according to local news outlet ABC13 WLOS.

According to officials, the malicious code was first installed in March 2016 until it was discovered in June 2019. The North Carolina health system recently began mailing notification letters to patients. However, there is no notice about the security incident displayed on the website.

The incident only impacted the online store designed for patients to purchase health products, either store.mission-health.org or shopmissionhealth.org. Attempts to reach the site are met with the message: “The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.”

Mission Health took those sites offline and is currently completely rebuilding the sites.

The notification letter stressed that the hacker did not have access to medical records. But credit card information could have been stolen at any time during the impacted timeframe. Officials did not explain how the incident went undetected for three years.

Philadelphia Department of Health Website Misconfiguration

The Philadelphia Department of Public Health recently began notifying certain patients that their data was potentially exposed due to a misconfiguration of its opioid data website, according to local news outlet Philadelphia Inquirer.

The agency created a public tool designed to track the prevalence of hepatitis infections. However, the tool left patient information exposed to the public, including names, Social Security numbers, dates of birth, contact details, test results, and other sensitive health information of thousands of Philadelphia residents. The data was primarily related to positive test results for hepatitis B and C, for patients between 2013 and 2018.

An Inquirer reporter actually discovered the breach and notified the department. The data was removed shortly after officials were notified, but there’s no indication of how long the data was exposed.

“We deeply regret the inadvertent exposure of personal health information on our website,” said Thomas Farley, Philadelphia’s health commissioner, in a statement. “We will conduct a thorough investigation of this incident, attempt to determine if any confidential information was accessed by others, take appropriate corrective actions, and do everything we can to protect the privacy and security of personal information.”

Officials are currently investigating the incident to determine the scope and whether the data was accessed during the misconfiguration.

Ransomware Attack Impacts Magnolia Pediatrics

Louisiana-based Magnolia Pediatrics fell victim to a ransomware attack in August, which potentially impacted some patient data.

The attack began August 23 and encrypted patient data stored on the network. An investigation led by a third-party computer technology vendor showed the hacker did not exfiltrate any patient information during the attack. But officials are notifying patients of the incident, out of an abundance of caution.

The virus encrypted patient information including names, dates of birth, contact details, insurance information, Social Security numbers, medical record numbers, and other clinical data, like medical histories, medications, and diagnoses.

Magnolia contacted the FBI and is currently working with their team on the ongoing information. Officials said they are also implementing improved security features to prevent a recurrence.

Monterey Health Center Ransomware Attack

Monterey Health Center recently began notifying patients that the Milwaukie, Oregon experienced a ransomware attack that potentially compromised patient information.

On August 12, Monterey Health’s electronic medical records systems was encrypted with ransomware. The server stored patient data, so officials worked quickly to restore access to the information to ensure patient care was not disrupted.

Assisted by a third-party vendor, Monterey Health was able to successfully restore the data. A forensic investigator determined no data was exfiltrated during the security incident. But officials said they could not rule out unauthorized access to data.

The server contained patient information such as names, driver’s licenses, financial account information, Social Security numbers, medications, dates of birth, diagnoses, treatments, health insurance information, and or claims data.

The provider is continuing to work its third-party team to bolster its secure and will take steps to improve its security processes.

Source: Malicious Code on Mission Health Store Website Undetected for 3 Years