<div dir="ltr"><a href="http://www.modernhealthcare.com/article/20160803/NEWS/160809954">http://www.modernhealthcare.com/article/20160803/NEWS/160809954</a><br><br><a href="http://www.modernhealthcare.com/section/articles?tagID=750" class="gmail-omnitrack">Banner Health</a>
is contacting 3.7 million individuals whose personal information may
have been accessed in a cyberattack that began on systems that process
credit card payments for food and beverage purchases at Banner
locations. The breach then expanded to include patient and health plan
information.<br><br>The Phoenix-based health system, with locations in
Alaska, Arizona, California, Colorado, Nebraska, Nevada and Wyoming,
first learned of the attack on July 7, according to a company statement.
Around June 23, the attack began to target data from credit cards,
including the cardholders' names, card numbers, expiration dates and
verification codes.<br><br>By July 13, an investigation revealed that
the attackers “may have gained unauthorized access to patient
information, health plan member and beneficiary information, as well as
information about physician and healthcare providers,” the statement
said. “The patient and health plan information may have included names,
birth dates, addresses, physicians' names, dates of service, claims
information, and possibly health insurance information and Social
Security numbers.”<br><br>Banner <a href="http://www.modernhealthcare.com/assets/pdf/CH10636283.PDF" class="gmail-omnitrack">announced Wednesday</a>
that it is mailing letters to 3.7 million patients, health plan members
and food service customers about the attack. The system has also hired a
computer forensics firm, contacted law enforcement officials and is
taking steps to prevent further attacks.<br><br>Bill Byron, vice
president of public relations for Banner, said there was no evidence the
information has been misused in any way. He added that further details
may not be forthcoming.<br><br>“Banner is committed to maintaining the
privacy and security of information of our patients, employees, plan
members and beneficiaries, customers at our food and beverage outlets,
as well as our providers,” said Peter S. Fine, president and CEO of
Banner Health.<br><br>Michael “Mac” McMillan, co-founder and CEO of
security firm CynergisTek, said it was odd that the point of sale
systems at Banner's 27 food service locations that were affected appear
to have been on the same network as clinical systems.<br><br>A <a href="http://www.verizonenterprise.com/resources/reports/rp_dbir-industry-snapshot-healthcare_en_xg.pdf" class="gmail-omnitrack">2012 study by Verizon</a>
showed that point of sale systems are responsible for 48% of assets
compromised in healthcare data breaches. While this might seem
counterintuitive, the report continues, it shows that most
cybercriminals are more interested in accessing a patient's bank account
than the details of electronic health records that might be stored in a
file or database server.<br><br>At 3.7 million affected individuals,
the Banner Health breach would be the eight largest on the “wall of
shame” website that's been kept by HHS' Office for Civil Rights. The
site lists all breaches of healthcare information involving 500 or more
individuals since September 2009 when the Health Insurance Portability
and Accountability Act breach notification rule went into effect. <br><br>By
far the largest breach on the list is Anthem's March 2015 cyberattack
that affected the records of 78.8 million individuals. Seven of the top
10 breaches have been cyberattacks. All of those hacking breaches were
reported either this year or last.<br><br>A list of the outlets that were affected can be found <a href="http://bannersupports.com/customers/affected-locations/" class="gmail-omnitrack">here</a>.<br>
</div>