In the largest data breach ever affecting Medical University of South Carolina records, the financial information for some 7,000 customers was stolen last month when a foreign entity hacked data from an outside credit card processing vendor, the hospital announced Thursday.
Dr. Pat Cawley, executive director of the Medical University Hospital, said there are no immediate plans to terminate its contract with Blackhawk Consulting Group, an Illinois-based credit card processing company.
“We are satisfied with how Blackhawk is responding and we’ll continue to work with them,” Cawley said. “This is not something that’s going to go away tomorrow.”
The majority of customers impacted by the data breach are South Carolina residents who paid MUSC with a credit card over the phone or online between June 30 and Aug. 21. That represents a relatively small percentage of the MUSC patient population because the hospital treats about 1 million people a year, Cawley said.
“Based on the information made available now, no patient medical record information was accessed during the theft,” a press release about the attack said.
MUSC found out about the data breach on Aug. 22, but waited two weeks to inform customers as the institution devised a plan of action.
“We were dependent on the forensic discovery process led by Blackhawk, who suffered the direct attack,” MUSC spokeswoman Heather Woolwine wrote in an email. “It’s a detailed and meticulous process, and has to be done correctly to make sure that we are providing the most accurate information possible to the public. Plus, you need time to set up call centers and get staff up to speed on the issue and action plan.”
Woolwine said, “We’ve had little phishing attacks on our systems, but nothing like this.” She made clear that Blackhawk’s system was attacked, not MUSC’s system.
MUSC is recommending that customers who were compromised by the data breach should contact their credit card companies and banks immediately.
“Affected individuals will receive a pre-recorded phone message providing more about the theft, and MUSC is working with Blackhawk and Experian’s fraud protection program to launch a support system that will provide free credit monitoring through a customized call center designed to walk all concerned persons through the steps they should take to further protect their personal information,” the press release said.
Blackhawk’s website lists dozens of other clients, including Yale University, Johns Hopkins Hospital and Northwestern University, but Mary Ellen Callahan, an attorney for the company, said only two other Blackhawk clients in addition to MUSC were impacted. Callahan would not disclose which other clients were victimized, but said they were not located in South Carolina.
“We’re not at liberty to disclose that. That is their story to disclose, not ours,” Callahan said.
In total, the financial information for about 10,000 people was affected by the breach, but Blackhawk’s other clients have not yet notified their customers. MUSC used the online payment system more frequently than the other two clients, Callahan said.
The FBI has been notified of the data breach, she said. “It was a sophisticated cyber-attack.”
MUSC Board of Trustees Chairman Tom Stephenson said the board members were notified about the breach Thursday.
“I’m satisfied based on what I know that it’s not MUSC’s fault. If there’s blame to be had it’s on the vendor, not us,” Stephenson said. “That being said, MUSC is taking measures to minimize the chance that this happens again. We want to do everything to protect the public and our users from this type of criminal conduct.”
MUSC has worked with Blackhawk for 10 years.
“We’ve had a long relationship, never had any problems and felt very comfortable with them,” Cawley said.
For some of the 7,000 MUSC hacking victims, their credit card numbers could have already been compromised as a result of last year’s cyber-breach of the S.C. Department of Revenue. In that case, a hacker made off with the personal identification information, including Social Security numbers, of 5.7 million present and former taxpayers. The financial information of some 700,000 businesses also was stolen.
The Revenue Department cyber-hacking was the largest ever of any state, but the state waited until Oct. 26, more than two weeks after it learned of the breach, to let the public know they could be victims of identity theft.
The state said it delayed notification to give law enforcement time to track the hacker, but so far authorities have made no arrest and have publicly said only that they have identified a foreign country where they believe the hacking originated.
Authorities say they know of no case in which a victim of the Department of Revenue hacking has lost any money as a result of the hacking, but cyber-security experts say it’s just a matter of time.
The state paid $12 million to provide free credit monitoring for the victims for one year and the legislature has authorized paying for an additional year. House Speaker Bobby Harrell, R-Charleston, recently told The Post and Courier that the state likely will have to pay for that for years.
Cawley, of MUSC, said Blackhawk bears financial responsibility for the attack affecting MUSC customers.
For more information about the cyber attack at MUSC, visit the hospital’s website. Customers may also contact MUSC though its call center, 843-792-6200 or 1-800-868-5051.
Doug Pardue contributed to this report. Reach Lauren Sausser at 937-5598.