Sign in

Data breach at Banner Health affects 3.7 million

By: Lisa Marlin

August 11, 2016

This week, as news of a massive data breach at Banner Health continues to make headlines since first being announced Aug. 3, one Arizona physician has filed a class action lawsuit against the Phoenix-based health system.  Ophthalmologist Dr. Howard Chen is one of 3.7 million people who may have had personal information exposed in the hacking incident of Banner Health’s point-of-sale network in 27 cafeterias and of its patient information system.

According to a report in the Arizona Republic, the doctor alleges the credit and identity theft protections Banner has offered to breach victims are inadequate and that the system was negligent in allowing the data to be compromised.

While there has been no response to this new accusation, Banner stated on Aug. 3 that it first learned of the attack on its point-of-sale network on July 7 and then on July 13, it was discovered its patient information system was compromised. The latter breach exposed individuals’ birthdates, addresses, physicians’ names, dates of service and claims information, and possibly health insurance information and Social Security numbers.

The data breach would be the largest of 2016 and the eighth largest in healthcare history. Banner states that steps are being taken to enhance the security of its systems in order to help prevent another hack in the future.

As this story and the accompanying lawsuit continues to unfold, David Ginsberg, PrivaPlan Associates, Inc., CEO, says that since no reports have been made public on how the breach happened, it is difficult to speculate how Banner Health could have prevented it. However, he does offer some suggestions about being aware of any “opening” into a network such as a point-of-sale system like the cafeterias may have had.

A checklist to protect data:

  • Evaluate all systems, even those that seem unimportant.  Hackers can exploit the weakest link.
  • Separate systems using segmented network architectures.
  • Perform external penetration testing on a regular basis to fully understand the risk from the internet.
  • Have an Internal Vulnerability Scan performed by a reputable company to assist in identifying risks inside your network.

Let PrivaPlan help. For more information or other services PrivaPlan provides, contact our HIPAA experts at info@privaplan.com or call 877-218-7707.