Phoenix-based Banner Health is sending out letters to 3.7 million people to inform them of a cyberattack that may have compromised patient information, company officials said Wednesday.
Banner officials said they are notifying patients, health plan members and beneficiaries, food and beverage customers, physicians and health-care providers. The company owns three Tucson hospitals, plus local clinics and a Tucson-based health plan.
Cyberattackers may have gained unauthorized access to names, birth dates, addresses, physician names, dates of service, claims information and possibly health insurance information and Social Security numbers if those were provided to Banner Health, the company said.
The security breach — the largest in company history — did not affect all Banner Health patients, officials stressed, but the scope of the attack could have immense implications. Banner Health, a non-profit, is the state’s largest private employer and operates 29 acute care hospitals in seven states: Alaska, Arizona, California, Colorado, Nebraska, Nevada and Wyoming.
“Worst-case scenario”
Banner is offering a free one-year membership in monitoring services to those affected. There is no indication at this point that the information is being misused, company officials said, though a public interest organization stresses that it can take years for evidence of medical identity theft to show up.
“In terms of severity this is a very severe attack — home address, patient name and some clinical information — it is a perfect setup for medical identify theft,” said Pam Dixon, executive director of the national nonprofit World Privacy Forum, speaking of the Banner cyberattack. “It is the worst-case scenario.”
The most important thing every victim of the breach needs to do is ensure they have an original copy of their medical file, and request one if they don’t, said Dixon, whose organization focuses on providing consumer education about privacy.
Dixon said people need to examine their medical records on an ongoing basis to ensure there’s no inaccurate medications or conditions. She advises rechecking the information every six months or so and to be on alert for unusual and expensive medications and treatments. Patient information can be used to file false health claims.
“Medical identify theft is one of the fastest ways to make money over time, and we are not talking mom-and-pop operations. These are sophisticated individuals who sell the information on the dark web,” she said.
“It can take up to five years, and all of a sudden your health-care files get altered by fraudulent activity.”
Dixon encourages those affected to accept the free credit monitoring.
Banner Health said anyone with questions should call a Banner Health phone number from 7 a.m. to 7 p.m. Tucson time, seven days per week — 1-855-223-4412.
Additionally the public may access a company website with more information at www.BannerSupports.com.
Credit cards involved
In addition to patient information, credit card data from customers at Banner food and beverage outlets were affected, officials said in a news release.
Three Tucson locations are listed on a company website as those where credit card data, including cardholder name, card number, expiration date and internal verification code, may have been compromised.
The three Tucson locations identified on a Banner Health website are: Banner — University Medical Center Tucson Healing Gardens (at the University of Arizona Cancer Center/North, 3838 N. Campbell Ave.); Banner — University Medical Center Tucson main campus (1515 N. Campbell Ave); and Banner — University Medical Center South, 2800 E. Ajo Way.
Officials said payment cards used at food and beverage outlets at certain Banner Health locations during a two-week period between June 23 and July 7 may have been affected.
Breach detected
last month
Banner Health officials said they discovered the food and beverage outlet breach on July 7 and on July 13 learned that the cyberattackers may have gained unauthorized access to patient information in an attack initiated on June 17.
The problem was identified by Banner Health’s information technology group when it noticed “unusual activity,” company spokesman Bill Byron said, though he would not elaborate on the nature of the activity.
He said Banner is notifying those affected by U.S. mail in a process that’s expected to take four to six weeks.
“We are really working hard to work as quickly as we can on the notification process. We have a lot of people who may need help, and we want to give them every opportunity to get help as quickly as they can,” Byron said.
“The important thing to remember is that this is a crime against the people who may have been affected.”
Phishing mail may follow
Dixon said that in general, health entities need to do more to update their security systems and also to ensure there are streamlined systems for patients to amend their medical records when they see fraudulent activity. Right now that process can be long and complicated, and there is a need for more clear rules on how to correct files.
The federal Health Insurance Portability and Accountability Act of 1996, often known as HIPPA, covers medical records and privacy. But the World Privacy Forum believes that HIPPA is not adequately meeting the needs of medical identity victims.
A HIPAA-covered entity does not necessarily have to remove incorrect information. It can mark the information as incorrect and add information that shows the correct information.
Dixon advises victims of medical identity theft to make it a priority to remove from their files information that may affect medical treatment. A second priority should be to remove information from insurance records that will affect payment for future treatment.
Affected consumers also need to beware of convincing phishing mail based on their medical conditions, Dixon said.
“They are made to look like it is from your doctor or hospital, and you have to be really careful,” she said.
“Soft targets”
Dixon said that unfortunately, health-care entities are “soft targets” for cyberattacks. Saving lives is health care’s No. 1 aim, not cybersecurity, she notes.
“It is horrible. Everyone is a victim here,” she said. “In 2016 there have been more cyberattacks on health data than in the past 20 years. The word is out about how lucrative stealing the data is and frankly the health-care sector has got to do a lot more with security updates.”
Banner Health said it worked quickly to block the attackers and is working to enhance the security of its systems to prevent future problems.
Banner also is communicating with payment card networks, officials said.
“Banner Health deeply regrets any inconvenience this may have caused,” the company’s news release states.
