Banner Health, a provider of hospital services, has notified by mail 3.7 million people, including patients, health plan members, healthcare providers and customers at its food and beverage outlets, that their payment card and health plan data, among other information, may have been compromised.
The provider said Wednesday that it discovered on July 7 that cyberattackers may have gained access to computers that process payment card data at the food and beverage outlets at some of its locations. Payment cards that were used at these outlets at certain Banner Health locations from June 23 to July 7 this year may have been affected, the provider said. Card payments for medical services were not affected, according to the investigation.
By July 13, Banner Health figured out that the attackers may have also gained access to patient information, health plan member and beneficiary information, and information about physicians and healthcare providers.
“The patient and health plan information may have included names, birthdates, addresses, physicians’ names, dates of service, claims information, and possibly health insurance information and social security numbers, if provided to Banner Health,” the nonprofit healthcare system, with headquarters in Phoenix, Arizona, said in a statement.
The organization also learned that the attack started on June 17 and could have compromised more information. The physician and provider information may have included, for example, names, addresses, dates of birth, Social Security numbers and other identifiers used.
Banner Health said it had immediately launched an investigation and taken measures such as hiring a forensics firm, taking steps to block the cyberattackers, besides contacting law enforcement.
The incident did not affect all Banner Health patients, it said. The provider said it is offering a free one-year membership in monitoring services to patients and other categories of people affected by the incident.
It warned customers of its food and beverage locations to review their payment card statements for any unauthorized activity, stating that payment card rules generally provide that cardholders are not responsible for timely-reported unauthorized charges.