(Story updated at 6 p.m. ET)
Banner Health is contacting 3.7 million individuals whose personal information may have been accessed in a cyberattack that began on systems that process credit card payments for food and beverage purchases at Banner locations. The breach then expanded to include patient and health plan information.
The Phoenix-based health system, with locations in Alaska, Arizona, California, Colorado, Nebraska, Nevada and Wyoming, first learned of the attack on July 7, according to a company statement. Around June 23, the attack began to target data from credit cards, including the cardholders' names, card numbers, expiration dates and verification codes.
By July 13, an investigation revealed that the attackers “may have gained unauthorized access to patient information, health plan member and beneficiary information, as well as information about physician and healthcare providers,” the statement said. “The patient and health plan information may have included names, birth dates, addresses, physicians' names, dates of service, claims information, and possibly health insurance information and Social Security numbers.”
Banner announced Wednesday that it is mailing letters to 3.7 million patients, health plan members and food service customers about the attack. The system has also hired a computer forensics firm, contacted law enforcement officials and is taking steps to prevent further attacks.
Bill Byron, vice president of public relations for Banner, said there was no evidence the information has been misused in any way. He added that further details may not be forthcoming.
“Banner is committed to maintaining the privacy and security of information of our patients, employees, plan members and beneficiaries, customers at our food and beverage outlets, as well as our providers,” said Peter S. Fine, president and CEO of Banner Health.
Michael “Mac” McMillan, co-founder and CEO of security firm CynergisTek, said it was odd that the point of sale systems at Banner's 27 food service locations that were affected appear to have been on the same network as clinical systems.
A 2012 study by Verizon showed that point of sale systems are responsible for 48% of assets compromised in healthcare data breaches. While this might seem counterintuitive, the report continues, it shows that most cybercriminals are more interested in accessing a patient's bank account than the details of electronic health records that might be stored in a file or database server.
At 3.7 million affected individuals, the Banner Health breach would be the eight largest on the “wall of shame” website that's been kept by HHS' Office for Civil Rights. The site lists all breaches of healthcare information involving 500 or more individuals since September 2009 when the Health Insurance Portability and Accountability Act breach notification rule went into effect.
By far the largest breach on the list is Anthem's March 2015 cyberattack that affected the records of 78.8 million individuals. Seven of the top 10 breaches have been cyberattacks. All of those hacking breaches were reported either this year or last.
A list of the outlets that were affected can be found here.