A large-scale computer cyberattack at Banner Health compromised the records of up to 3.7 million patients, health-insurance-plan members, food and drink customers, and doctors according to the an Arizona Republic article by Ken Alltucker (1). Banner Health discovered unusual activity on its computer servers in late June and uncovered evidence of two attacks, with hackers accessing both patient records and payment-card records of food and beverage customers. The Phoenix-based health-care provider said it will mail letters to those affected notifying them about details of the cyberattack and steps they can take to protect themselves. Banner employees, many of whom are patients and covered by Banner Health insurance plans, also are believed to be victims of the attack.

The Banner Health attack is the largest among 32 known data breaches involving Arizona-based health and medical providers since 2010 according to an U.S. Department of Health and Human Service list. The breach exceeds all other breaches in Arizona combined by over 1,000,000 affected individuals. Banner also has the dubious distinction of the previous high in Arizona when records of 55,207 were compromised in 2014 (2).

Banner Health officials said they thus far have not received reports of hackers misusing the information, but the health-care provider will offer a free one-year membership in credit-monitoring services to patients, health-plan members and others affected by the cyberattack. The hackers apparently accessed Banner computer systems that process payment-card data at food and beverage outlets at some Banner Health locations. Potential victims can view a list of affected Banner locations in Arizona, Alaska, Colorado and Wyoming at http://bannersupports.com/customers/affected-locations/. On July 13, Banner Health discovered that hackers also may have accessed patient and health-insurance records, which may have included information about doctors and health-care providers. Those records may have included names, birth dates, addresses, doctors' names, dates of service, claims information, health-insurance information and Social Security numbers.

Bob Gregg, chief executive of Portland, Ore.-based ID Experts. said health-care providers are increasingly facing attacks from criminal organizations that resell the information for profit. According to Gregg. a record containing a name, address and Social Security number sells for $1 to $3 on the black market but detailed medical records with unique patient identifying numbers can fetch up to $100 per record.

Banner Health has established a website that details information about the data breach at http://bannersupports.com. Patients or other customers who have questions or concerns about the cyberattack can call 1-855-223-4412.

References

1. Ken Alltucker. Banner Health cyberattack breaches up to 3.7 million records. Arizona Republic. August 3, 2016. Available at: http://www.azcentral.com/story/money/business/health/2016/08/03/banner-health-cyberattack-breaches-up-3-7-million-records/88035474/ (accessed 8/6/16).
2. Robbins RA. Banner prints social security numbers. Southwest J Pulm Crit Care. 2014;8(2):140-1. [CrossRef]

Cite as: Robbins RA. Banner hacked-3.7 million at risk. Southwest J Pulm Crit Care. 2016;13(2):80-1. doi: http://dx.doi.org/10.13175/swjpcc075-16 PDF