Banner Health announced that it is mailing letters to approximately 3.7 million patients, health plan members and beneficiaries, food and beverage customers and physicians and healthcare providers related to a cyber attack. Banner Health says it immediately launched an investigation, hired a leading forensics firm, took steps to block the cyber attackers and contacted law enforcement.  

On July 7, 2016, Banner Health discovered that cyber attackers may have gained unauthorized access to computer systems that process payment card data at food and beverage outlets at some Banner Health locations. The attackers targeted payment card data, including cardholder name, card number, expiration date and internal verification code, as the data was being routed through affected payment processing systems. Payment cards used at food and beverage outlets at certain Banner Health locations during the two-week period between June 23, 2016 and July 7, 2016 may have been affected.  The investigation revealed that the attack did not affect payment card payments used to pay for medical services.

On July 13, 2016, Banner Health learned that the cyber attackers may have gained unauthorized access to patient information, health plan member and beneficiary information, as well as information about physician and healthcare providers. The patient and health plan information may have included names, birthdates, addresses, physicians’ names, dates of service, claims information, and possibly health insurance information and social security numbers, if provided to Banner Health. The physician and provider information may have included names, addresses, dates of birth, social security numbers and other identifiers they may use. The investigation also revealed that the attack was initiated on June 17, 2016.

An article by NBC News claims that roughly one out of every three Americans had their health care records compromised and most are completely unaware. Such hacks give criminals a wealth of personal information that, unlike a credit card number, can last forever. Many of those records show up for sale on the “dark web” where hackers openly advertise themselves and what they’ve stolen. One site offers fresh healthcare profiles stolen last year in California boasting “you can use those profiles for normal fraud stuff or to get a brand new healthcare plan for yourself.”

Despite high-profile hacks that have targeted high-profile retailers like Target and entertainment giant Sony Pictures, security experts are warning of a more prized target for identity thieves: medical records. Workers’ Compensation claim offices are also a repository of medical records, as well as the professionals that support them such as law firms. One might suspect that sooner or later, hackers will reach deeper into the smaller caches of prized healthcare data.

Banner Health is offering a free one-year membership in monitoring services to patients, health plan members, health plan beneficiaries, physicians and healthcare providers, and food and beverage customers who were affected by this incident.

It says it “deeply regrets” any inconvenience this may have caused.  Customers with questions can call 1-855-223-4412, from 7 a.m. to 7 p.m. Pacific Time, seven days a week.

Headquartered in Arizona, Banner Health is one of the largest nonprofit health care systems in the country. The system owns and operates 29 acute-care hospitals, Banner Health Network, Banner – University Medicine, Banner Medical Group, long-term care centers, outpatient surgery centers and an array of other services, including family clinics, home care and hospice services, pharmacies and a nursing registry. Banner Health is in seven states: Alaska, Arizona, California, Colorado, Nebraska, Nevada and Wyoming.