Cyber Incident Victim: Mission Health

Mission Health, a hospital system owned by Nashville-based HCA Healthcare, notified an unspecified number of Western North Carolina residents in October 2019 about a data breach involving its e-commerce website. The organization discovered on September 13, 2019, that malicious code had been inserted into the legitimate code of its online store platform, including shopmissionhealth.org, which remained undetected for over three years from March 27, 2016, through June 26, 2019. This malicious code captured and transmitted customer payment information to unauthorized third parties. An internal review confirmed that names, addresses, payment card numbers, expiration dates, and CVV security codes provided during online purchases were potentially compromised. The breach exclusively affected transactions made through Mission Health's e-commerce platforms and did not involve access to patient medical records, treatment information, or the primary missionhealth.org website.

Mission Health responded by removing the compromised e-commerce site entirely, announcing plans to completely rebuild the online store that previously sold personal care items, over-the-counter medications, vitamins, and hosted wellness classes. Affected customers received notification letters and were offered one free year of credit monitoring services. The organization emphasized that the impacted website operated separately from its core healthcare systems and had been taken offline permanently. While Mission Health did not disclose the exact number of affected individuals, the three-year exposure period spanned transactions for childbirth classes, weight management programs, and retail product purchases. The incident occurred amid broader trends of healthcare sector vulnerabilities, with industry reports indicating medical providers accounted for over half of all reported data breaches in 2018.