- Arizona-based Banner Health recently announced that it had experienced a cybersecurity attack potentially affecting 3.7 million patients, members and beneficiaries, providers, and food and beverage outlet customers. The possible health data breach was discovered on July 13, 2016 but an investigation from a hired forensics firm revealed that the initial attack occurred on June 17, 2016.
Banner reported that the cybersecurity breach affected “a limited number of Banner Health computer servers as well as the computer systems that process payment card data at certain Banner Health food and beverage outlets.”
“Banner is committed to maintaining the privacy and security of information of our patients, employees, plan members and beneficiaries, customers at our food and beverage outlets, as well as our providers,” Banner Health President and CEO Peter Fine said in a statement.
Affected patients may have had names, dates of birth, addresses, physicians’ names, dates of service, clinical information, and possibly health insurance information accessed. If Social Security numbers were provided, then those may also have been exposed.
Members and beneficiaries potentially had names, dates of birth, Social Security numbers, addresses, dates of service and claims information, and health insurance information as a current or former health plan member or beneficiary exposed.
The food and beverage outlet breach was discovered on July 7, 2016, according to the Banner website. Payment cards used at 27 different Banner Health locations from June 23, 2016 to July 7, 2016 may have been affected. The possibly affected locations on Banner’s list are in Arkansas, Arizona, Colorado, and Wyoming.
“The attackers targeted payment card data, including cardholder name, card number, expiration date and internal verification code, as the data was being routed through affected payment processing systems,” Banner said.
For providers, names, addresses, dates of birth, DEA (Drug Enforcement Agency) numbers, TINs (Tax Identification Number), NPIs (National Provider Identifiers) numbers, or Social Security numbers may have been affected in the health data breach.
Data breach notification letters are being sent out by mail to those potentially affected, and should be received by September 9, 2016.
“We have returned to accepting all forms of payment at food and beverage facilities. You can use your payment card with confidence,” Banner explained. “This incident did not affect payment cards used for payment of medical services.”
Bizmatics data breach affects 13,674 more individuals
North Carolina-based Uncommon Care, P.A. is reportedly another victim of the Bizmatics data breach, and recently announced that unauthorized access to data occurred in 2015.
Uncommon Care said on its website that Bizmatics informed it in April 2016 that Bizmatics “could not determine that the records of Uncommon Care's patients were accessed or acquired by unauthorized persons, or used in an unauthorized manner.”
“Although there is no evidence at this time that patient information, which may include name, date of birth, social security number, address, or medical diagnosis, was improperly accessed or used, in an abundance of caution we decided it was appropriate to post this notification,” the statement read.
While not mentioned on the Uncommon Care website, the OCR data breach reporting tool states that 13,674 individuals may have been affected by this incident.
PHI released to patients through CDs at Ala. facility
American Family Care (AFC) is notifying patients that PHI security was compromised when X-ray CDs were provided to patients at the organization’s Alabaster, Flintridge, and Wetumpka, Alabama clinics, as well as the Smyrna, Tennessee clinic.
The discs were given out between August 26, 2015 and June 14, 2016. The problem occurred with a reported error in the design and installation of third-party software. Because of this, patient names, dates of birth, patient gender, and patient identification numbers may have been exposed.
However, AFC said that Social Security numbers, driver’s license numbers, financial data, and home addresses were not included on the CDs.
The OCR data breach reporting tool lists 7,200 individuals as possibly being affected by the incident.
AFC added that notifications have been sent out to those who were potentially affected.
“After conducting a thorough internal investigation AFC is confident the issue involving the third-party software has been resolved,” the statement read. “Furthermore, additional steps have been taken to ensure incidents like this do not happen again.”
Unauthorized employee access leads to potential data breach
Memorial Hermann Health System recently announced that patient records may have been compromised after an employee accessed the data outside of normal job duties.
The incident was discovered on July 7, 2014, but the unauthorized access reportedly occurred from December 2007 to July 2014. Only certain patients during that time frame may have been affected.
Accessed information included patients’ names, addresses, medical record numbers, dates of birth, health insurance information, and Social Security numbers in a few cases. Financial information was not included.
A forensic investigation was launched after the discovery, and the employee’s access to medical records was suspended.
Memorial Hermann began to send out data breach notification letters via mail on August 29, 2014. The OCR breach reporting tool states that 10,604 individuals may have been affected.
It is unclear why the public notification went up on July 28, 2016, when the incident took place in 2014.
“We recommend that you regularly review the explanation of benefits statement that you receive from you or your child’s health insurer,” the statement read. “If you identify services on the explanation of benefits that you did not receive, please immediately contact the insurer.”