Mission Health E-Commerce Websites Had a Malicious Code that Allowed Payment Data Theft for 3 Years


Malicious code was found installed on the e-commerce website of Mission Health in Western North Carolina. The malicious code can capture the payment information entered by patients purchasing health products on the website. Then, the data can be routed to an unauthorized third party.

Mission Health discovered the breach in June 2019. But according to the breach investigation findings, the malicious code was inputted in the genuine code of the site three years ago in March 2016. Because of the issue, Mission Health took down the affected websites and they’re being rebuilt. As of this writing, those websites are still offline.

The information released about the breach is only limited, and at this time, Mission Health has not posted a substitute breach notification letter on its website. It was not disclosed how Mission Health discovered the breach. Usually, whenever there is credit card data theft, credit sd card companies track the fraudulent transaction back to a particular merchant or website and inform the firm about the compromise of their systems. In such instances, the fraudulent transaction is identified fairly easily. It is uncertain in this case if that is what happened and why it took about three years to detect the breach.

The attackers did not access any health data or medical records, the malicious code only allowed the capture of financial data like expiry dates, credit card numbers, and CVV codes together with the names and addresses of cardholders. The breach just impacted persons who had bought items on the following e-commerce websites: shopmissionhealth.org and store.mission-health.org. The breach did not affect the main site of the healthcare provider – missionhealth.org.

Mission Health has examined all transactions that happened for the period of time when the malicious code was in the system and sent notification letters on October 11, 2019 to all people who purchased from the affected websites. The people also received information regarding what steps they ought to do to protect their accounts and to keep track of their accounts for indications of fraudulent transactions. All impacted persons were offered complimentary 12 months membership to credit monitoring services.

The HHS’ Office for Civil Rights’ breach portal has not yet posted the breach report. It is at the moment uncertain exactly how many people were impacted.