A wide range of information was exposed, from credit card numbers to patient data.
Banner Health, which owns and operates 29 hospitals in seven states, recently began notifying approximately 3.7 million patients, health plan members and beneficiaries, food and beverage customers, physicians and healthcare providers that their information may have been exposed as a result of a cyber attack.
On July 7, the company discovered that hackers may have accessed computer systems that process payment card data at food and beverage locations at some Banner Health facilities, potentially exposing the names, card numbers, expiration dates and verification codes for those who used payment cards at Banner Health food and beverage locations between June 23 and July 7, 2016.
Six days later, the company determined that the hackers may also have accessed patient information, health plan member and beneficiary information, and information on physicians and healthcare providers, beginning on June 17, 2016.
The potentially exposed patient and health plan information includes names, birthdates, addresses, physicians’ names, dates of service, claim information, and some health insurance information and Social Security numbers.
The potentially exposed physician and healthcare provider information includes names, addresses, birthdates and Social Security numbers.
“Banner Health worked quickly to block the attackers and is working to enhance the security of its systems in order to help prevent this from happening in the future,” the company said in a statement. “Banner Health is also working with the payment card networks so banks that issue payment cards can be made aware and initiate heightened monitoring on the affected cards.”
In a separate breach announced earlier this week, a hacker stole more than 150 GB of data from the Central Ohio Urology Group and posted a link to the stolen data online. The files posted include names, mailing addresses, phione numbers, birthdates, diagnoses, insurance providers and account numbers, DataBreaches.net reports.
Balabit product manager Csaba Krasznay told eSecurity Planet by email that patient data has real value on the black market, putting hospitals directly in hackers’ crosshairs. “Every healthcare institution must realize that their patients’ data is their most valuable data, and serious protection means, at the least, the introduction of the same security measures now protecting other sectors, with special attention to internal users whose stolen credentials are usually used in cyber attacks,” he said.
“From an IT security perspective, healthcare is one of the most interesting sectors, because so much sensitive personal data — such as previous diseases, drug usage habits, etc. — resides in digital format — often without proper security measures,” Krasznay added.
Michael Magrath, director of business development at VASCO Data Security, said by email that while banks spend from 10-12 percent of their IT budgets on security, recent studies have found that healthcare organizations spend just 3-7 percent. “Healthcare organizations must get serious about IT security,” he said. “CEOs need to be held accountable for this never-ending stream of breaches. 3-7 percent of an IT budget allocated to security just doesn’t cut it anymore, and organizations must step up.”