BlackHawk

The covered entity (CE), MUSC Physicians & MUHA, learned on August 22, 2013, that the payment portal of its business associate (BA), Blackhawk Statement Group, had been hacked on June 30, 2013. The breach exposed the names, addresses, email addresses, and credit care information for 7,120 individuals. The CE provided breach notification to HHS, affected individuals, and the media and posted notice on its website. In response to the breach, the CE changed its payment procedures to circumvent the BA and process credit card transactions directly with the processor. The BA patched the vulnerability in the software that was targeted by the hack and improved its network security. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA’s use and disclosure of protected health information (PHI) and required the BA to safeguard all PHI. OCR obtained assurances that the CE implemented the corrective actions listed above.
Location of breached information: Network Server
Business associate present: Yes