3.7 million individuals have been affected by a Banner Health Network cyberattack discovered last month. The Banner Health Network cyberattack is the largest healthcare data breach to have been announced by a healthcare organization so far in 2016.

Banner Health Network Cyberattack Targeted Hospital Food and Beverage Outlets

The Banner Health Network cyberattack was discovered on July 7, 2016. Attackers were discovered to have gained access to the computer system used to process card payments at some of the food and beverage outlets in Banner Health hospitals in Alaska, Arizona, Colorado, and Wyoming. Payment card details – Card numbers, cardholders’ names, expiry dates, and ccc codes – were compromised in the attack. Insurance claim information may also have been compromised.

The discovery triggered a full investigation into the intrusion which revealed that hackers first gained access to the system on June 17, 2016. Individuals affected by the breach used cards to pay for purchases at the hospital food outlets between June 23 and July 7, 2016. Card payments for medical services were stored in a separate system which was not compromised in the attack.

While it was initially thought that only the payment system had been attacked, approximately a week later on July 13, Banner Health discovered that hackers had also gained access to systems used to store patient health information and employee data. The initial target was payment card data, although once a foothold in the network had been gained, the attackers were also able to explore other parts of the network, which included systems used to store ePHI.

According to a breach notice issued by Banner Health, the patient data potentially compromised in the attack includes “names, birthdates, addresses, physicians’ names, dates of service, claims information, and possibly health insurance information and social security numbers, if provided to Banner Health.”

All affected individuals are being offered a year of complimentary credit monitoring and identity theft protection services with Kroll. Individuals are now being notified of the breach by mail, but due to the sheer scale of the security breach the process may take some time. Banner Health expects the notification process to be completed by September 9, 2016.

The cyberattack shows how critical it is for intrusions to be detected promptly. The longer hackers have access to a network, the more damage can be done. During the dwell time between the initial intrusion and the discovery of the breach, hackers may be able to roam a network looking for data to steal.