On December 21, KCI (Kinetic Concepts, Inc.) Health Care Compliance notified the New Hampshire Attorney General’s Office of a security breach involving fraud. An employee in their Texas call center with authorized access to a database containing customers’ payment card data had reportedly misused the information of “several” customers to make purchases in the San Antonio area.
The database contained names, addresses, dates of birth, insurance information, and in some cases, Social Security Numbers and payment card information.
The total number of patients who had their payment card information misused was not revealed in the report. The employee was terminated and the company was working with law enforcement.
The company reports that there was no indication that other (non-payment card) information was misused. Somewhat surprisingly in view of the fact that there was known misuse in at least some cases, KCI did not offer those affected free credit monitoring.
The incident was the second breach KCI reported recently. The first incident, revealed in September, involved exposure of employee information via an email attachment.
Note that it’s not clear to me whether this should really be considered a medical sector breach or a business sector breach. Or maybe both, as they refer to customers as “patients.”