Cyber Incident Victim: BJC HealthCare
Date:
Nov 2018
Location:
United States of America
Summary
BJC HealthCare experienced a malware breach affecting its online patient payment portal, potentially compromising credit card information submitted by users. The organization discovered malicious software on its website that may have intercepted payment data, prompting notifications to at least 5,850 individuals regarding the possible exposure of their financial details.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
BJC HealthCare announced a potential breach involving credit card information submitted through its online patient payment portal on December 18, 2018. The organization discovered on November 19, 2018, that malicious software had been installed on their website, potentially enabling unauthorized interception of payment data. The malware specifically targeted the portal used by patients to pay medical bills, though the exact duration of its presence or the attacker's identity remained undisclosed. BJC's investigation confirmed the incident affected at least 5,850 individuals whose payment card details were processed through the compromised system during an unspecified timeframe. The company issued a public news release detailing the malware's discovery and its potential to capture sensitive financial information. Affected individuals received direct notifications, though the article did not specify whether these included complimentary credit monitoring services or other remediation offers. No evidence suggested broader electronic health record or clinical system compromise beyond the payment portal functionality.
BJC initiated an investigation immediately upon detecting the malware but did not disclose technical details about the malicious code's operation or its removal process. The organization emphasized the breach was confined to payment transactions made through the specific online portal, excluding in-person payments or other digital platforms. While the company confirmed data exposure risks, it provided no confirmation of actual misuse of intercepted information in its public statement. The 33-day gap between discovery (November 19) and public disclosure (December 18) indicated a period required for forensic analysis and individual notification processes. BJC directed potentially affected patients to vigilance regarding unauthorized credit card charges but did not report regulatory fines or legal actions resulting from the incident. The breach highlighted vulnerabilities in third-party payment systems without elaborating on future security enhancements.