Asheville, N.C.-based Mission Health has mailed patients letters indicating that their financial information may have been stolen, according to local ABC affiliate WLOS.
Mission Health discovered that a malicious code was infecting its store website and sending users' payment information to an unauthorized third party. The malicious code was present on the website between March 2016 and June 2019.
No patient information or medical records were exposed because of the vulnerability.
After finding the bug, Mission Health took the website offline and is completely rebuilding it. In a statement, Mission Health said the website was not part of its primary website, missionhealth.org.
"Mission Health takes the privacy and security of information very seriously. Regrettably, we recently identified and addressed a security incident that may have involved some of the information consumers provided when making purchases on the Mission Health eCommerce website, either at store.mission-health.org or shopmissionhealth.org," the health system said in a statement, according to WLOS.
The website was used for consumers to purchase health products.