Andrew Dunn reports:
The credit card information of nearly 10,000 people may have been accessed in a data breach at a Charlotte medical practice.
Presbyterian Anesthesia Associates has disclosed that a hacker broke through a security flaw of the practice’s website to gain access to a database of personal information, including names, contact information, dates of birth and credit card numbers for 9,988 people.
No medical information was compromised, the practice said.
Read more on Charlotte Observer.
There is no statement on the practice’s web site about the breach, and the page for making a payment says:
Our Bill Pay system is currently unavailable. To contact our Business Office by phone, please dial 704.749.5800.
So the practice not only stored credit card numbers but failed to encrypt them? I wonder what their risk assessment looks like and what HHS will think if they investigate this breach.
Update: HealthITSecurity obtained more details on the breach from PAA’s report to the North Carolina Attorney General’s Office. Kyle Murphy reports that encryption was used, but an “unauthorized person gained access to E-Dreamz’s server via a software vulnerability and stole key enabling person to decrypt and take patient payment information.” Murphy also reports that the information on the server was encrypted using 128-bit AES (Advanced Encryption Standard) encryption.