Edgepark Medical Supplies has notified the New Hampshire Attorney General’s Office of a breach reported earlier this month to Vermont’s Attorney General. Their earlier report explained how malware inserted in their system went undetected until December 2013 when Symantec recognized it as malware and added it to their database/product.
Edgepark’s more recent report adds additional details about the incident, including that the hackers exploited a vulnerability in ColdFusion to insert the malware, and that
the malware intercepted online account usernames and passwords and stored them in a file on our website, which was accessed and downloaded by the Hackers between March 9 and March 11, 2013. The file was not accessed after March 11, 2013.
You can read their notification to the state and to 26 New Hampshire residents here.
As most security professionals realize, there is simply no one anti-virus software that will catch everything, and relying on any one product is risky.
Update: 101 residents of Maryland were also affected by the breach.