BJC HealthCare is notifying 5,850 individuals that malicious malware might have compromised the BJC HealthCare online payment portal and potentially exposed credit card information entered through the website.
In a notice posted to its website, the system said no Social Security numbers or medical information were at risk.
On Nov. 19, 2018, BJC learned that information submitted through the patient online payment portal could have been intercepted through the use of malicious computer software installed on the website. A BJC internal investigation determined that the malware allowed electronic collection of payment information entered through the portal between Oct. 25, 2018, through Nov. 8, 2018.
The information that could have been acquired included the patient’s name, date of birth, and billing account number, and the information of the individual making the payment including the individual’s name, address and credit card or bank account information. Social Security numbers and medical information were not included in the information and there was no impact to the treatment or health care of the patient.
BJC has no indication to date that any information was actually misused. As a precaution, individuals whose payment information may have been exposed are advised to carefully review credit card and bank statements and immediately contact their credit card holder or banking institution about any inconsistencies or suspicious activity.
“BJC takes the confidentiality and protection of patient information seriously and regrets any inconvenience or concern this incident caused patients, family members or other individuals making payments through the site,” BJC said in its statement. To help prevent a similar incident from occurring in the future, BJC has implemented additional security procedures to enhance protection against malware.
Individuals making payments whose data may have been exposed have been mailed a letter explaining what occurred, recommended precautions, and who to contact with any questions. Patient questions can be directed to (844) 582-5076, Monday through Friday, 9 a.m. to 5 p.m. Central Time.
BJC HealthCare says it has complied with all U.S. Department of Health and Human Services Office for Civil Rights notification requirements, including individual patient letters, public news release and website posting.