Cyberattackers gained access to "a limited number" of Banner Health computer servers, including the servers that process payment card information where food and beverages are sold at the Phoenix-based health system. Overall, 3.7 million patients, Banner health plan members and beneficiaries, food and beverage customers and providers, may be affected, making it the largest healthcare data breach of 2016.
The attack was initiated June 17, according to Banner's investigation. Potentially compromised information includes patient names, addresses, birthdates, physician names, dates of service, clinical information, health insurance information and Social Security numbers if one was provided to the system. For those enrolled in a Banner health plan, claims information, insurance information and employee benefit information may also have been affected. Provider names, addresses, Drug Enforcement Agency numbers, tax identification numbers and national provider identifier numbers may have also been involved.
Banner indicates the cyberattackers targeted payment card data, and cards used at food and beverage outlets at certain Banner Health locations between June 23 and July 7 may be affected by the attack. Cardholder names, card numbers, expiration dates and internal verification codes were compromised. Banner Health released a list of 27 food and beverage locations that were affected by the cyberattack.
The health system says it has returned to accepting all forms of payment at food outlets. "You can use your payment card with confidence," according to the health system. Payment cards used to pay for medical services were not affected.
Banner is offering free credit and identity monitoring to affected individuals for one year and has notified the DEA and providers' licensing boards of the incident. The health system also says it is enhancing the security of its networks systems.
"Banner is committed to maintaining the privacy and security of information of our patients, employees, plan members and beneficiaries, customers at our food and beverage outlets, as well as our providers," Peter Fine, president and CEO of Banner Health, said in the notice.
More articles on data breaches:
Yahoo investigates possible 200M user data breach
Possible data breach at St. Peter's Health Partners after man given records of other patients
FTC says LabMD liable for lax data security in 2013 breach, overturns judge's dismissal of case