Western Montana Clinic Data Breach (2015)

Full credit card information for 44 patients was available to hackers who gained access to the Western Montana Clinic website last month. The hackers also were able to access demographic and partial credit card information for nearly 7,000 patients. However the hackers didn't gain access to patients' medical records, which are housed in a different system, Western Montana Clinic CEO Valeri Saffer said. "We are very fortunate that no medical information was available on the site that would have been hacked," she said. It appears the hackers, who call themselves the Moroccan Agent Secrets, weren't looking for personal information, but were looking for site vulnerability, Saffer explained. "I've been told a good hacker can get into anywhere," she said. Saffer said the hackers bypassed security measures and accessed the website for the first time March 10. By March 14, the hackers had changed the homepage and WMC employees became aware of the attack. The hackers made it impossible for users to access the website, and instead routed them to a separate site that contained anti-Israeli and anti-American sentiments. "We found out about it from a patient who called a staffer and we called the organization that hosts the website," Saffer said. Within hours, the site was taken down. In investigating the incident, WMC employees discovered the presence of patients' credit card information on the site. "When our IT people took the site apart, they found there was a log on the site that had that (credit card) information in it," Saffer said. "It shouldn't have had that information in it, but it did." In addition to accessing the full credit card information of 44 patients, the names, addresses, telephone numbers, email addresses, dates and amounts of credit card transactions made via the website, and the last four four digits of credit card numbers for 6,994 patients were available to the hackers. The clinic alerted the FBI to the hacking incident, and affected patients affected were notified by mail. WMC offered one year of free credit monitoring to patients whose full credit card information was available to the hackers. WMC recommends that patients remain vigilant for fraud and identity theft by reviewing their credit reports and accounts for unauthorized activity.