Processor Breach Leads RoundupPayment Card Information for 7,000 Compromised
In this week's breach roundup, Medical University of South Carolina is notifying approximately 7,000 individuals of a breach involving a third-party credit card processing vendor. Also, the Vermont Attorney General's office has reached a settlement with a grocery store in Williston following a breach in 2012 that exposed credit card numbers.
See Also: The Global State of Online Digital Trust
Breach Impacts Payment Card Info
The Medical University of South Carolina is notifying approximately 7,000 individuals that their financial information was exposed as a result of a breach at a third-party credit card processing vendor.
The vendor, Blackhawk Consulting Group, notified the university of the breach on Aug. 22 and began an investigation, according to a release from the university.
"My understanding is that [hackers] were able to place malware within Blackhawk's code that sent information to an e-mail account," a university spokesperson told Information Security Media Group.
Compromised information included names, billing addresses, credit card numbers and expiration dates, credit card authorization numbers and e-mail addresses.
Individuals affected by the breach paid the university online or over the phone, via credit or debit card, between June 30 and August 21, according to an FAQ.
The university is working with Blackhawk and Experian's fraud protection program to launch a support system that will provide free credit monitoring through a customized call center.
AG Settles with Grocery Store over Breach
The Vermont Attorney General's office has reached a settlement with Natural Provisions, a grocery store in Williston, following a breach in 2012 that exposed credit card numbers.
In the settlement, the grocery store has agreed to spend $15,000 to upgrade its computer security system and will pay the state a $15,000 penalty, according to Attorney General William Sorrell.
The security incident in 2012 involved the theft of credit card numbers used at the store, the attorney general said in a release. Banks traced the fraud back to Natural Provisions.
The grocery store failed to inform the attorney general within 14 days of discovery of the breach, failed to notify customers within 45 days, and didn't take quick steps to remedy the breach, according to Sorrell.
While it's unclear how many individuals were affected, the attorney general says tens of thousands of dollars of credit card fraud took place.
Computer Theft Affects 10,000 Patients
Olson & White Orthodontics in Florissant, Mo., is notifying patients of a break-in that involved the theft of computer hardware that included sensitive information.
The office has set up an FAQ page on its website providing information on the incident.
About 10,000 patients were informed of the incident, according to the St. Louis Post-Dispatch.
Compromised patient information included names, addresses, X-rays, photos and diagnostic findings, the Post-Dispatch reported. For insured parties, information exposed included names, e-mail addresses, Social Security numbers and credit scores.
The FAQ doesn't go into detail regarding the incident, stating a continuing investigation by police as the reason.
"While we have no information that the stolen computer hardware was taken for the purpose of identity theft, we recognize that identity theft is an ever-present threat, and strongly encourage you to take the precautions described in our letter," the FAQ said.
Sensitive Info Exposed on Website
ICS Collection Service, a debt collection agency, is notifying more than 1,300 individuals who were treated at University of Chicago Physicians Group that their sensitive information was accessible on its website for an unspecified period of time.
A collections contract that ICS had with the physicians group was terminated before the incident, but the debt collection agency retained data on patient claims that were active at the time the contract was terminated, ICS reports.
On July 9, ICS received word from a website user that they were able to view certain sensitive information relating to other debtors on the website.
Compromised information includes names, addresses, dates of birth, responsible party names, responsible party addresses, insurance payment and dates, insurance company names, insurance policy numbers, procedure and diagnosis codes and descriptions, dates of service, certain treating physician names, and, in some cases, Social Security numbers.
ICS retained privacy and data security legal counsel and an independent, third-party forensic expert to assist with the investigation. After learning of the breach, the agency also contacted its third-party website and software vendors to correct the security setting and disable access to the page on its website utilized by debtors to make payments and other account adjustments.
ICS is offering individuals affected a year's worth of free credit monitoring and identity theft consultation services.