A large-scale computer cyberattack at Banner Health compromised the records of up to 3.7 million patients, health-insurance-plan members, food and drink customers, and doctors according to the an Arizona Republic article by Ken Alltucker (1). Banner Health discovered unusual activity on its computer servers in late June and uncovered evidence of two attacks, with hackers accessing both patient records and payment-card records of food and beverage customers. The Phoenix-based health-care provider said it will mail letters to those affected notifying them about details of the cyberattack and steps they can take to protect themselves. Banner employees, many of whom are patients and covered by Banner Health insurance plans, also are believed to be victims of the attack.

The Banner Health attack is the largest among 32 known data breaches involving Arizona-based health and medical providers since 2010 according to an U.S. Department of Health and Human Service list. The breach exceeds all other breaches in Arizona combined by over 1,000,000 affected individuals. Banner also has the dubious distinction of the previous high in Arizona when records of 55,207 were compromised in 2014 (2).

Banner Health officials said they thus far have not received reports of hackers misusing the information, but the health-care provider will offer a free one-year membership in credit-monitoring services to patients, health-plan members and others affected by the cyberattack. The hackers apparently accessed Banner computer systems that process payment-card data at food and beverage outlets at some Banner Health locations. Potential victims can view a list of affected Banner locations in Arizona, Alaska, Colorado and Wyoming at http://bannersupports.com/customers/affected-locations/. On July 13, Banner Health discovered that hackers also may have accessed patient and health-insurance records, which may have included information about doctors and health-care providers. Those records may have included names, birth dates, addresses, doctors' names, dates of service, claims information, health-insurance information and Social Security numbers.

Bob Gregg, chief executive of Portland, Ore.-based ID Experts. said health-care providers are increasingly facing attacks from criminal organizations that resell the information for profit. According to Gregg. a record containing a name, address and Social Security number sells for $1 to $3 on the black market but detailed medical records with unique patient identifying numbers can fetch up to $100 per record.

Banner Health has established a website that details information about the data breach at http://bannersupports.com. Patients or other customers who have questions or concerns about the cyberattack can call 1-855-223-4412.

References

1. Ken Alltucker. Banner Health cyberattack breaches up to 3.7 million records. Arizona Republic. August 3, 2016. Available at: http://www.azcentral.com/story/money/business/health/2016/08/03/banner-health-cyberattack-breaches-up-3-7-million-records/88035474/ (accessed 8/6/16).
2. Robbins RA. Banner prints social security numbers. Southwest J Pulm Crit Care. 2014;8(2):140-1. [CrossRef]

Cite as: Robbins RA. Banner hacked-3.7 million at risk. Southwest J Pulm Crit Care. 2016;13(2):80-1. doi: http://dx.doi.org/10.13175/swjpcc075-16 PDF 

According to the Associated Press, the Centers for Medicare and Medicaid's (CMS) website, HealthCare.gov, has been sending consumers’ personal data to private companies that specialize in advertising and analyzing Internet data for performance and marketing (1). What information is being disclosed was not immediately clear, but it could include age, income, ZIP code, and smoking status. It could also include a computer’s Internet address, which can identify a person’s name or address when combined with other information collected by sophisticated online marketing or advertising firms. “We deploy tools on the window shopping application that collect basic information to optimize and assess system performance,” said CMS’s Aaron Albright in a statement. “We believe that the use of these tools are common and represent best practices for a typical e-commerce site.” There is no evidence that personal information has been misused. But connections to dozens of third-party tech firms were documented by technology experts who analyzed HealthCare.gov and then confirmed by AP. A handful of the companies were also collecting highly specific information.

Created under the Affordable Care Act (ACA, Obamacare), HealthCare.gov is the online gateway to government-subsidized private insurance for people who lack coverage on the job. It serves consumers in 37 states, while the remaining states operate their own insurance markets.

Marilyn Tavenner, administrator of CMS, resigned last Friday, effective  February 1. Much maligned for the shaky roll-out of HealthCare.gov, it is unclear if Tavenner's resignation and the revelation of the breech in patient confidentiality are related.

References

1. Associated press. Government health care website quietly sharing personal data. Available at: http://www.cnbc.com/id/102355634 (accessed 1/22/15).
2. Alonso-Zaldivar R. Medicare chief steps down, ran health care rollout. Available at: http://abcnews.go.com/Health/wireStory/medicare-chief-steps-part-health-care-roll-28270777 (accessed 1/22/15).

Reference as: Robbins RA. Healthcare.gov shares personal data with third parties. Southwest J Pulm Crit Care. 2015;10(1):51. doi: http://dx.doi.org/10.13175/swjpcc009-15 PDF