Individuals’ data may have been compromised by hackers that cracked in via food and beverage payment systems and infiltrated patient healthcare data.
Banner Health revealed that hackers may have accessed the healthcare, payment and health plan information of up to 3.7 million individuals.
Attackers reportedly gained access through payment processing systems for food and beverage purchases at the Phoenix-based health system.
“On July 13, 2016, we discovered that cyber attackers may have gained unauthorized access to information stored on a limited number of Banner Health computer servers,” Banner Health said in a statement. “We immediately launched an investigation, hired a leading forensics firm, took steps to block the cyber attackers, and contacted law enforcement. The investigation revealed that the attack was initiated on June 17, 2016.”
Stolen information may have included names, birthdates, social security numbers, addresses, dates of service and claims information, as well as health insurance information as a current or former member of one of Banner’s health plans or as a beneficiary of a Banner Health employee benefits plan.
“Most of the time these healthcare organizations have no systems in place to alert them when lots of data is being sucked out using some privileged account,” said Mansur Hasib, program chair, cybersecurity technology, at the graduate school of the University of Maryland University College, and author of the book “Cybersecurity Leadership.”
Mansur added that Anthem, for instance, did not originally have such protections but after its massive breach installed such systems.
“As a precaution, we have secured the services of Kroll to provide credit and identity monitoring at no cost to the affected members for one year,” Banner Health said. “Kroll is a global leader in risk mitigation and response, and their team has extensive experience helping people who have sustained an unintentional exposure of confidential data.”
Further, Banner Health is enhancing the security of its systems to help prevent another such attack in the future, and has established a call center for individuals to call with any questions, the health system said.
“Banner is committed to maintaining the privacy and security of information of our patients, employees, plan members and beneficiaries, customers at our food and beverage outlets, as well as our providers,” said Peter S. Fine, president and CEO of Banner Health.
Affected members have been mailed; but if an individual believes he or she may have been affected and does not receive a letter before September 9, 2016, they can call (855) 223-4412.
The attack looks very similar to the infamous breach of Target Corp., said Adrian Sanabria, senior analyst, information security, at 451 Research LLC.
“Attackers allegedly were able to access hospital networks through successful attacks against food services systems,” Sanabria said. “I don’t know if Banner Health used a third-party to run its in-hospital cafes and cafeterias, but like Target’s breach, which began with a third-party HVAC vendor, there should have been no way to access payment data from food services systems. These should have been entirely segregated from one another – I can’t imagine any reason why a cafeteria point-of-sale system would need access to systems storing medical records.”
Another issue that mirrors the Target breach is a lack of visibility into what’s happening to systems and data,” Sanabria added. “One of the new technologies I’m very excited about that can help with this issue is the emergence of inexpensive attack simulation products,” he said. “By safely simulating the events of a breach, companies can more easily determine how they would fare in an actual attack and adjust as necessary.”