[BreachExchange] Banner Health cyberattack impacts 3.7 million people

[Inga Goddijn]

http://www.modernhealthcare.com/article/20160803/NEWS/160809954

Banner Health <http://www.modernhealthcare.com/section/articles?tagID=750>
is contacting 3.7 million individuals whose personal information may have
been accessed in a cyberattack that began on systems that process credit
card payments for food and beverage purchases at Banner locations. The
breach then expanded to include patient and health plan information.

The Phoenix-based health system, with locations in Alaska, Arizona,
California, Colorado, Nebraska, Nevada and Wyoming, first learned of the
attack on July 7, according to a company statement. Around June 23, the
attack began to target data from credit cards, including the cardholders'
names, card numbers, expiration dates and verification codes.

By July 13, an investigation revealed that the attackers “may have gained
unauthorized access to patient information, health plan member and
beneficiary information, as well as information about physician and
healthcare providers,” the statement said. “The patient and health plan
information may have included names, birth dates, addresses, physicians'
names, dates of service, claims information, and possibly health insurance
information and Social Security numbers.”

Banner announced Wednesday
<http://www.modernhealthcare.com/assets/pdf/CH10636283.PDF> that it is
mailing letters to 3.7 million patients, health plan members and food
service customers about the attack. The system has also hired a computer
forensics firm, contacted law enforcement officials and is taking steps to
prevent further attacks.

Bill Byron, vice president of public relations for Banner, said there was
no evidence the information has been misused in any way. He added that
further details may not be forthcoming.

“Banner is committed to maintaining the privacy and security of information
of our patients, employees, plan members and beneficiaries, customers at
our food and beverage outlets, as well as our providers,” said Peter S.
Fine, president and CEO of Banner Health.

Michael “Mac” McMillan, co-founder and CEO of security firm CynergisTek,
said it was odd that the point of sale systems at Banner's 27 food service
locations that were affected appear to have been on the same network as
clinical systems.

A 2012 study by Verizon
<http://www.verizonenterprise.com/resources/reports/rp_dbir-industry-snapshot-healthcare_en_xg.pdf>
showed that point of sale systems are responsible for 48% of assets
compromised in healthcare data breaches. While this might seem
counterintuitive, the report continues, it shows that most cybercriminals
are more interested in accessing a patient's bank account than the details
of electronic health records that might be stored in a file or database
server.

At 3.7 million affected individuals, the Banner Health breach would be the
eight largest on the “wall of shame” website that's been kept by HHS'
Office for Civil Rights. The site lists all breaches of healthcare
information involving 500 or more individuals since September 2009 when the
Health Insurance Portability and Accountability Act breach notification
rule went into effect.

By far the largest breach on the list is Anthem's March 2015 cyberattack
that affected the records of 78.8 million individuals. Seven of the top 10
breaches have been cyberattacks. All of those hacking breaches were
reported either this year or last.

A list of the outlets that were affected can be found here
<http://bannersupports.com/customers/affected-locations/>.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160803/74410796/attachment.html>