About 10,000 affected by security breach in Lawrence Memorial Hospital's online bill pay service

Lawrence Memorial Hospital, 325 Maine.

Lawrence Memorial Hospital, 325 Maine.

Financial information of about 10,000 people may have been posted online during a security breach by Lawrence Memorial Hospital’s online patient bill pay services.

LMH reported Friday that information maintained by its vendor Mid Continent Credit Services was inadvertently publicly available on the Internet between Sept. 20 and Oct. 28. This information may have been available:

• Patient name, phone number, email address, health care provider, payment amount and date of payment.

• Credit card information, including the type of card, name and address of the card holder, the account number, the verification number and the expiration date.

• Checking account information, including the check number, the account holder name and address, the checking account number and bank routing number, and the bank name and address.

Janice Early, LMH director of community relations, said the information did not include medical records and was not released by the hospital.

The security breach affects people who used the online bill pay service on the hospital’s website — lmh.org — which asks for either credit card information or bank account information. It does not affect people who paid for bills through their bank, by mail or phone. People use the online bill pay service not only for hospital bills, but to pay physicians groups and health fairs, Early said. The online pill bay service is currently unavailable.

“We are in the process of arranging for a new online payment system with a new vendor. We hope that it can be available within a week,” Early said.

The event occurred as a result of failed security measures on a website hosted by BrickWire LLC, which hosted the online patient bill pay service on behalf of Mid Continent Credit Services. LMH has had a contract with Mid Continent Credit Services since 2005, when it started online services.

Early said the hospital learned about the security breach by a patient on Oct. 28 and it immediately contacted Mid Continent Credit Services.

LMH is notifying patients through letters, which should be received during the next couple of weeks. It is advising people who have made online payments to monitor their account statements and credit reports for suspicious activity. Mid Continent has agreed to offer a free one-year credit monitoring subscription to individuals.

Anyone who has questions about the security breach should call LMH at 505-4945 or send an email to lmhcompliance@lmh.org.

“We take privacy and security of patient information very seriously and we sincerely apologize for the inconvenience caused by this event,” Early said.

Tagged: Lawrence Memorial Hospital

Comments

LadyJ 3 years, 1 month ago

Should be a minimum of 2 years at least. I believe Old Navy offered 2 years when employees social security information was breached. Credit card information is worse. I am willing to bet social security information was also in those records. They need to include the bank and credit card information that was in the records so we don't have to change all our credit card numbers and bank account numbers. Do they really think we should wait until something happens and then try to straighten things out? No thanks, I'll head them off at the pass.

riceballs 3 years, 1 month ago

No social security numbers or birth dates were in the records. All individuals affected will be personally notified.

Janice Early-Weas 3 years, 1 month ago

No Social Security information or dates of birth were entered into the online bill pay system at any time. To clarify, individuals entered information, which included either bank account information if they were paying by check or credit card information if they were paying by credit card. The letters being sent will state which form of payment was used.

Also, I want to correct the statement in the story that says we were notified on Monday. An individual called the hospital Oct. 28, and the online bill pay site was shut down immediately. -- Janice Early, LMH Director of Community Relations

LadyJ 3 years, 1 month ago

Thanks, I was more worried about the social security numbers than anything else. Knew an elderly widow who could not file her income tax return and get her refund because somebody else had filed one under her name and social security number. Still think we should get two years of monitoring, please push for that.

Dave Greenbaum 3 years, 1 month ago

I filed a complaint about the online bill pay system provided by midccs.com back in August of 2006. The system sent a receipt for my payment in plain text and include the account number. Using that account information you can retrieve additional information about the account. No password was necessary. It was out there in plain view. I filed a HIPAA complaint when "infolmh infolmh@midccs.com" sent an email containing confidential email about my account.

If this is the same system used back then, the account will also have your doctor info (but not procedure) . I assume that what "health care provider" refers to in the article. Once someone knows your doctor, they possibly know something about your health history or current conditions. For example, if it's an oncologist, that communicates to others you have been most likely treated for cancer. Some may not want the fact they were treated by a mental health professional to be disclosed to the public.

Whom we see should be private and is of much more concern than a credit card number than can easily be cancelled. Linking the health care provider with someone's name and phone number (system didn't ask for address) is of much greater concern.

LadyJ 3 years, 1 month ago

Very good points that I had not considered. Thanks. Fortunately ours were of just family physician type. Glad I didn't use cell phone #. Land line number is used mostly to catch spam calls.

Karrey Britt 3 years, 1 month ago

Thanks for the clarification. It has been corrected in the story.

opinion 3 years, 1 month ago

The article states the website in question is lmh.org. I believe the site listed on statements - lmhbillpay.com - is also one that the vendor used to process payments. I went to pay through there last week and it was no longer available.

kernal 3 years, 1 month ago

I wonder if Mid Continent's breach included other medical clients and if so, did they notify those clients?

LadyJ 3 years, 1 month ago

Good questions, let's hope they give us the answers.

Janice Early-Weas 3 years, 1 month ago

This was not a breach on LMH systems, nor was the system hacked. This was an internal failure of BrickWire's web security during a system update they completed. BrickWire's database, which was used to manage the online bill pay system, was inadvertently made publicly available on the Internet. -- Janice Early, LMH Director of Community Relations

phred 3 years, 1 month ago

Great that they are notifying by mail in a couple weeks (given they do have email addresses). That should give criminals plenty of time to run up charges on the credit card. It looks like I will be canceling a credit card today.

I am not impressed.

sherbert 3 years, 1 month ago

Wow, this is bad. And what an embarrassment to LMH. Seems like there should be some type of repercussion for this.

lisabeth2002 3 years, 1 month ago

I called on Monday to make a payment by phone (since I usually use the online bill pay but it wasn't available all weekend) and the lady on the phone didn't mention ONE WORD about any of this. I explained that I usually pay online but needed to pay over the phone since "apparently you're site isn't working." "Yeah, it's down right now," she said. Mail out letters within a few weeks?!? LMH needs to pull their head out and handle this like the serious situation that it is.

Susan Thomas 3 years, 1 month ago

I think folks should just call the number and find out if their account is part of the breach. Then you'll know if you need to call your bank or credit card company.

phred 3 years, 1 month ago

Good idea, tried it and got a recording and voice mail. It doesn't appear the hospital is taking their patient's security very seriously and doesn't really care if people are financially hurt by this. They have already been sitting on the information for a week.

Susan Thomas 3 years, 1 month ago

I called yesterday around 4. Spoke with a live person. She answered my questions. Said a letter would be coming, and that I should contact my credit card. Also said that I could get a one year subscription to a credit service paid for by the online company. Same response as when the deal happened at TJMaxx and Bank of America.

Oldsoul 3 years, 1 month ago

This comment was removed by the site staff for violation of the usage agreement.

Joe Hyde 3 years, 1 month ago

Looking at the bright side, this security breach offers the FBI an opportunity to conduct a high tech 2-prong sting operation that monitors electronic theft from specific private bank accounts, as well as identity thefts.

In today's world the more often cyber-thieves are caught, the happier I get.

Gareth Skarka 3 years, 1 month ago

Makes me very, very glad that long ago I refused to do any business with Mid-Continent. They have many complaints about their professionalism, their ethics, and violations of the Fair Credit Reporting Act.

Sigmund 3 years, 1 month ago

"The UCLA Health System is warning thousands of patients that their personal information was stolen and they are at risk of possible identity theft, officials said in a statement released Friday."

"The stolen patient information included first and last names as well as some birth dates, medical record numbers, addresses and medical information, officials said. It did not include Social Security numbers, credit card or insurance details. The patient information was from 2007 through 2011." "UCLA medical officials say patient information data stolen" LA Times, November 4, 2011. http://latimesblogs.latimes.com/lanow/2011/11/ucla-patient-identification-stolen.html

Management at these companies have a affirmative duty to protect patients information from disclosure under numerous federal and state laws. Victims of computer crimes have been given the legal authority to peruse civil action under federal law. Corporations can be held corporately liable and management can be held personally liable for failure to ensure due care in implanting and complying with recognize standards.

Only when these companies and managers are hauled into court and held accountable for their failures they will begin to take their customers and patients personal information serious. While LMH may have a CIO I doubt he or she has a single certified computer security professional (CISSP or equivalent) on their staff.

SarcasmIsALostArt 3 years, 1 month ago

There's quite a bit of info here that we're missing.. 1) Is there any evidence that the database was accessed via an external connection? 2) Did the vendor perform any testing or perform any secure scans post 'maintenance' work? ...ie did the vendor do its due diligence in providing a secure service? 3) Did LMH vet the vendor? 4) Did LMH mandate certain standards in their SLA's requiring x standard to be provided? 5) Did LMH sign a BA in absolving them of liability in these billing transactions?

Prob won't get these answers from a news service...but as a customer I'd be demanding to see the granulars, especially if my data was at risk. Although given it was limited to financial data and minus any PII (SSN's etc etc), the damage at least has the potential to be limited.

bc 3 years, 1 month ago

It's clear the vendor was not PCI compliant which I believe is required if you are going to at least process Visa/MasterCard. Storage of card verification codes is prohibited under the standards.

Kelsey_Ryan 3 years, 1 month ago

Glad to hear about this.... looks like a new credit card number is in order.

Commenting has been disabled for this item.