US healthcare insurer Banner Health, based in Phoenix, Arizona has suffered a large data breach. It has sent letters to over 3.7 million patients, health plan members and beneficiaries, food and beverage customers as well as physicians and healthcare providers. The company has said that this attack does not affect all its customers and partners. It has provided information about the breach and what to do on the company website.
When and how did this happen?
Banner Health says that it first noticed a cyberattack on July 7. This attack started on June 23 and targeted the payment systems at food and beverage stores in some Banner Health locations. Hackers targeted payment card data and were successful in acquiring: “cardholder name, card number, expiration date and internal verification code.”
While investigating the first attack Banner Health discovered a second attack on July 17. This attack started on June 17 and targeted patient data. Banner Health believes that the attackers stole: “patient information, health plan member and beneficiary information, as well as information about physician and healthcare providers.” This data also includes a lot of personal data including names, addresses, date of birth and social security numbers. The company has engaged a forensic investigation company to go through its computer systems to look for further attacks.
What happens now?
There is a detailed document on the Banner Health website advising people what to do next. It includes the offer of a free one-year credit monitoring service to everyone who was affected by this incident. The question is whether that is enough. With studies around identity theft showing that the data can be active for several years a multi-year policy would be better.
Customers and partners will need to take the advice given and check their personal data quickly. This includes paying careful attention to card and bank statements for unauthorised transactions. The same is true of their healthcare statements. Attacks on other healthcare insurers have seen cybercriminals use data to gain access to treatment and prescription drugs which they then sell.
It is also important that customers and partners change any passwords they have used to access Banner Health systems.
Banner Health appears to have responded quickly once the breach was noticed. This still leaves a number of questions unanswered. Is this one attack against two different systems? Is this two separate attacks by hackers working together? How did the malware get onto Banner Health systems? Why was data not encrypted? Were systems compliant with the latest PCI-DSS payment card security rules and HIPPA?
This is going to be a painful time for Banner Health and it will be interesting to see what the outcome of this attack is. The fact that not all patients and partners were affected will be of little comfort to the management. Attacks on healthcare have been rising rapidly over the last year and Banner Health won’t be the last in this business to fall victim to cybercriminals.