Banner Health Breach Affects 3.7 Million

Breach Notification , Breach Response , Data Breach

Payment Card Data as Well as Patient Information Exposed Banner Health Breach Affects 3.7 Million

Arizona-based Banner Health, which operates 29 hospitals, says it's notifying 3.7 million individuals that their data was exposed in a "sophisticated cyberattack." The organization has hired a forensics firm to investigate the attack after taking steps to block the attackers and contacting law enforcement officials.

See Also: Data Center Security Study - The Results

The data breach, which started when attackers gained unauthorized acess to payment card processing systems at some of the organization's food and beverage outlets, apparently also opened the door to the attackers accessing a variety of healthcare-related information, Banner Health says in an Aug. 3 statement. But the statement doesn't make clear how that additional access was gained.

On July 7, Banner Health discovered the hack of card processing systems that exposed cardholders' names, card numbers, expiration dates and verification codes as the data was being routed through the affected systems, the organization reports. Cards used at affected outlets between June 23 and July 7 were affected. Card transactions used to pay for medical services were not affected.

Affected individuals are being offered one year of credit and identity theft monitoring services. Plus, Banner Health says it's "further enhancing the security of our systems to help prevent something like this from happening again."

In addition to the card-related breach, "On July 13, Banner Health learned that cyberattackers may have gained unauthorized access to patient information, health plan member and beneficiary information, as well as information about physician and healthcare providers," the organization says in the statement, without offering further explanation. Data exposed could include patient names, birthdates and addresses as well as clinical details, such as physician names, dates of service, claims information "and possibly health insurance information and Social Security numbers." Also potentially exposed were physicians' names, addresses, dates of birth and Social Security numbers.

The investigation revealed that the attack was initiated on June 17, Banner Health reports.

Banner Health did not immediately respond to an Information Security Media Group's request for additional comment.

All Data At Risk

The eye-opening report of a breach affecting both payment card transactions and patient data highlights that "healthcare must consider all aspects of its business when addressing security," says security expert Mac McMillan, CEO of the consulting firm CynergisTek.

Attacks targeting the payment card systems of retailers - including high-profile attacks against Target and Home Depot - have become common in recent years, but few have been publicized in the healthcare sector.

"Although this is not necessarily a new phenomenon, covered entities and business associates need to not only keep a close eye on HIPAA privacy and security attacks/breaches, but also ramp up their Payment Card Industry Data Security Standards compliance efforts," says security and privacy expert Thad Phillips, principal consultant at tw-Security. "These PCI DSS compliance efforts include not only their financial departments, but also any food, beverage and gift shop points of sale that are accepting and processing credit card payments."

The healthcare sector, a leading target for hacker attacks due to the value of health data, "cannot expect that PCI DSS compliance will take care of itself while they are primarily focused on HIPAA privacy and security [compliance]," Phillips says. "Once the attacker is in any system on the network, the chances of them breaching additional systems within the organization are much higher. Thus, the organization's overall risk can't go anywhere but up."

Dan Berger, CEO of the security consultancy Redspin, says the Banner Health attack "underscores the necessity to conduct truly comprehensive network security assessments, including external and internal penetration testing. One has to assume that any device, system or workstation that connects to the network is a potential entry point for hackers."