Ohio's Edgepark Medical Supplies recently began notifying an undisclosed number of customers that their personal information may have been compromised when the company's Web site was improperly accessed in March 2013.
"Our systems are safeguarded by a number of technological security measures including, but not limited to, industry-standard anti-virus software," Edgepark vice president of compliance and privacy officer Cindy Sackett wrote in the notification letter [PDF]. "However, on December 12, 2013, using this software, we discovered that our Web servers were subject to unauthorized access between March 9, 2013 and March 12, 2013 as a result of malware ... that was identified on our system."
"Unfortunately, our anti-virus provider did not identify this particular malware issue until shortly before we were notified of the incident," Sackett added.
An investigation determined that customers' user names, passwords, full names, birthdates, phone numbers, shipping and billing addresses, e-mail addresses, primary physicians, diagnoses, order histories and health insurance company names may have been accessed.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i
In 126 cases, the customers' full credit card numbers may also have been accessed.
The malware has since been removed, and all affected customer passwords have been reset. All those affected are being offered one year of free identity protection services from AllClear ID.