January 16, 2014
Card data among info accessed in malware attack on medical supplier
The information – including payment card data – of more than 4,000 individuals was inappropriately accessed after malware was introduced into the computer systems of Ohio-based Edgepark Medical Supplies.
How many victims? Roughly 4,200, according to reports.
What type of personal information? Names, dates of birth, phone numbers, shipping and billing addresses, email addresses, card issuers, card expiration dates, Edgepark account usernames and passwords, diagnoses, order histories and health insurers.
Full 16-digit credit card numbers were compromised for 126 individuals. The last four digits of cards were compromised for the other impacted individuals. Security codes were not compromised.
What happened? An unauthorized party inappropriately accessed Edgepark web servers using malware. Edgepark’s anti-virus provider did not identify this type of malware until shortly before it was notified of the incident.
What was the response? The malware has been removed and account passwords were reset. Edgepark is notifying all impacted individuals by mail and is offering them one free year of identity theft protection services.
Details: Unauthorized access was gained to the Edgepark web servers between March 9, 2013 and March 12, 2013. Edgepark’s anti-virus picked up on the malware on Dec. 12, 2013, shortly after the anti-virus provider identified the threat. Edgepark has not identified any unusual patterns of account access and has not received reports that accounts have been compromised.
Quote: “We promptly investigated the incident and discovered that the malware may have resulted in the unauthorized access to the “account information” section for some of our patients,” Cindy Sackett, vice president of compliance and privacy officer, wrote in the notification letter.
Source: atg.state.vt.us, “Edgepark Letter to Consumers re Security Breach,” Jan. 2, 2014