Baylor Scott & White Medical Center, a Texan medical centre based in Frisco, has announced that due to a data security incident, the payment information of nearly 48,000 individuals has been breached.
The medical centre is jointly managed by United Surgical Partners International (USPI) and Baylor Scott & White Health. Earlier this year, they discovered an issue with the credit card processing system of one of its third-party vendors. An investigation was launched into the issue, which revealed there had been a week-long computer intrusion between September 22 and September 29. Upon discovery of the issue, the medical centre informed the vendor. All credit card transactions through the vendor’s system were stopped. Those affected were determined to be both patients and guarantors of the medical centre.
During their investigation, Baylor Scott & White Health did not uncover evidence to suggest any patient/guarantor information had been further disclosed or misused. However, due to the sensitive nature of the breach, all individuals affected by the incident have been offered one year of complimentary credit monitoring services through TransUnion Interactive.
The security breach was limited to the third-party vendor’s system. Hospital information and clinical systems remained secure at all times. No health information or Social Security numbers were exposed. Only the Frisco medical centre was affected by the breach, and none of the other associated medical centres were implicated.
The information that was exposed and potentially accessed by an unauthorized individual was limited to: Names, addresses, dates of service, medical record numbers, health insurance provider information, account numbers, the last four digits of credit card numbers, CCV numbers, type of credit card used, recurring payment dates, account balances, invoice numbers, and transaction statuses.
In accordance with HIPAA’s Breach Notification Rule, all individuals affected by the breach have been notified by mail. Due to the scale of the breach, the data security incident was reported to the Department of Health and Human Services’ Office for Civil Rights on November 26, 2018. The OCR breach portal indicates 47,948 individuals have been affected.