Cyber Incident Victim: Fast Health
Date:
Jan 2016
Location:
United States of America
Summary
A healthcare provider experienced a security breach when a third party altered server code, compromising credit card information for approximately 714 patients who paid bills online through its platform. The incident exclusively affected customers of two affiliated healthcare entities using the vendor’s payment system, with no medical data accessed. The organization notified impacted individuals directly and confirmed that the breach was limited to financial data from online transactions.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Fast Health, a healthcare vendor based in Tehachapi, experienced a security breach impacting patients who used its online bill payment system between January 14, 2016, and December 20, 2016. A third party altered code on the company’s server, enabling the theft of credit card information belonging to approximately 700 customers. The compromised data was limited to financial details used for online payments, with no evidence suggesting unauthorized access to medical records or other protected health information. Fast Health identified 714 affected patients associated with two healthcare providers: Tehachapi Valley Healthcare District and Adventist Health. The breach persisted for nearly eleven months before being discovered, though the exact date of detection remains unspecified in public reporting.
Adventist Health received notification of the incident from Fast Health on May 9, 2017, indicating the vendor became aware of the breach by that date. Fast Health committed to notifying all impacted individuals via mailed letters, though the timeline for this communication was not disclosed. The breach exclusively affected patients who utilized Fast Health’s online payment portal during the specified timeframe, leaving in-person transactions and other systems unaffected. No additional technical details regarding the code alteration, intrusion methods, or server vulnerabilities were publicly released. The incident exposed financial risks for affected patients but did not compromise clinical care data or treatment histories.