US-based health insurance company Banner Health recently announced to its 3.7 million customers as well as relevant healthcare providers that its servers suffered a breach and that sensitive data may have been stolen.
According to Banner Health, the motivation behind the breach remains unclear, but hackers could have targeted sensitive patient, physician and health plan data. The investigation of the hack has revealed that the hackers could also have accessed payment-card data from the Banner Health food and drink outlets.
According to the insurance firm, it has already hired an entire forensics team to assist the company in securing its systems. The firm also laid out the vulnerable information that may or may not have been stolen by the malicious hackers. This includes names, birth dates, addresses, social security numbers, physician names, and claims and health insurance information. Personal information belonging to physicians and healthcare providers including addresses and social security numbers may have also been exposed.
Of the payment data that may have been stolen, cardholder names, card numbers and card expiration dates may be involved. The customers most vulnerable are those who made food and drink purchases in the weeks between June 23rd and July 7th.
“Banner Health immediately launched an investigation, hired a leading forensics firm, took steps to block the cyber-attackers and contacted law enforcement,” the company assured in a public statement. It is also offering its members that may have been affected by the breach one year of free monitoring services.
“There are mandatory data breach notification laws in the US,” explained Nicola Fulford, member of law firm Kemp Little. “…that is why they are writing to all these people.”
Fulford went on to explain that American health records have been stolen by hackers many times, to the point that it’s becoming a trend within cyber crime:
“Health data is right up there in terms of sensitive data,” she explained. “It is perfect for ID theft. You have everything you need to make fraudulent health insurance claims, for example.”
It’s apparently somewhat common for health insurance data to go up for sale on the dark web. Some countrywide organizations have taken action to try to stop this. In the United Kingdom, for example, England’s NHS expects to spend over $1 billion on cybersecurity and data consent. That’s a quarter of the budget for the new paperless ervice.
“In the black market for personal information, the records with the most data are the most expensive,” explained Jonathan Sander, a member of cybersecurity company Lierberman Software. “Healthcare information usually offers the bad guys the highest concentration of personal information per record, and therefore is the stolen goods they can sell for the most money.”
While Banner Health may have made the right move in offering their affected customers free monitoring services, at the end of the day the brand has been tarnished by the incident. At the same time, they’re not the first healthcare provider to fall victim to malicious hackers, and the rise in the events only further signals the inability of law enforcement to react accordingly.