Thousands of pathologists and medical technologists may have had their private data stolen, though ASCP investigators did not confirm this as having happened
For a “limited time period” in 2020, the American Society for Clinical Pathology (ASCP) was the target of a cyberattack that “potentially exposed payment card data as it was
being entered” on the ASCP website, according to a letter sent by McDonald Hopkins PLC to then Attorney General of the New Hampshire Department of Justice (DOJ) Gordon MacDonald.
In “World’s Largest Pathologists Association Discloses Credit Card Incident,” Bleeping Computer, an information security and technology news publication, reported that on March 11 of this year, ASCP employees discovered their system had been hacked. They discerned that between March 3, 2020, and November 6, 2020, the attackers had access to personal information being entered on the ASCP website.
Bleeping Computer noted that “[the ASCP’s] member list includes over 100,000 medical laboratory professionals, clinical and anatomic pathologists, residents, and students.”
In a statement, the ASCP said, “We have recently been informed that our e-commerce website was the target of a cybersecurity attack that, for a limited time period, potentially exposed payment card data as it was entered on our website.”
The information that may have been stolen includes data pertaining to individual credit cards, names, credit or debit card numbers, expiration dates, and security codes (CVV) associated with the cards.
“We engaged external forensic investigators and data privacy professionals and conducted a thorough investigation into the incident,” the ASCP said in the statement.
What Type of Cyberattack?
Evidence collected regarding the ASCP data breach indicates the attack was part of a web-skimming assault. This involves installing malicious software, such as Magecart, onto an e-commerce website. The software acts like a credit card skimmer enabling hackers to steal the payment and personal information of customers who are actively inputting data on the attacked website. The data is then sent to remote servers where it is used for identity theft or sold to others.
ASCP says it does not permanently store any of its customers’ payment card data on its servers, Bleeping Computer reported, which greatly reduces the potential risk of data exposure. In addition, the ASCP has implemented extra security measures to prevent similar incidents from happening in the future.
“We resolved the issue that led to the potential exposure on the website. We implemented additional security safeguards to protect against future intrusions. We continue ongoing intensive monitoring of our website, to ensure that it exceeds industry standards to be secure of any malicious activity,” the ASCP said in a statement, Bleeping Computer reported.
Federal Rules and Regulations Concerning HIPAA and PHI
The ASCP stated they have no evidence that any customer data was misused after the incident occurred. As of May 14, the organization has not made an official, public statement regarding the situation on their website, but affected individuals and jurisdictions were sent letters to inform them of the data breach.
With over 130,000 current members, Chicago-based ASCP is the largest professional organization for pathologists and clinical laboratory professionals in the world. The organization did not respond to Dark Daily’s inquiries regarding the data breach.
Although no reported violations under the Health Insurance Portability and Accountability Act (HIPAA) occurred in this ASCP data breach, it should be noted that there are rules under HIPAA for data breaches where Protected Health Information (PHI) may have been compromised.
Under the HIPAA Breach Notification Rule, entities that were hacked must perform the following steps:
- Notify affected individuals within 60 days of the discovery of the breach. Notification should include a brief description of the breach, the types of information that may have been compromised, steps affected individuals should take to protect themselves from potential harm, and a description of what the organization is doing to investigate the breach, mitigate the harm, and prevent further breaches.
- Hacked entity must inform the Secretary of Health and Human Services (HHS) within 60 days of the breach discovery if 500 or more individuals were affected. For breaches affecting less than 500 people, the breached entity may notify the Secretary of such breaches on an annual basis.
- For breaches affecting more than 500 individuals, the hacked entity must also provide a notification to prominent media outlets, typically via a press release, that serve the state or jurisdiction.
This breach of credit card information belonging to a sizeable number of pathologists and clinical laboratory professionals using the ASCP website should be a warning to all clinical laboratories and anatomic pathology groups—along with colleges, societies, and associations—that their websites and digital systems can be attacked at any time. As well, clinical laboratory and pathology professionals should be on the alert and take all necessary precautions to minimize the possibility of data breaches.
—JP Schlingman
Related Information:
World’s Largest Pathologists Association Discloses Card Incident
American Society for Clinical Pathology—Incident Notification
ASCP Disclosed Payment Card Web Skimming Incident
Magecart Attack: What It is, How it Works, and How to Prevent It
What is Magecart? How This Hacker Group Steals Payment Card Data
A Deep Dive into Magecart: What Is Magecart?
Compliance Perspectives: State Enforcement Raises Liability Risks of Data Breaches
