Banner Healthcare Breach Exposes Patient Records and Cafeteria Credit Cards

August 9, 2016 CyberCecurity Leave a comment

You might wonder how an attack against a large healthcare provider would expose both patient records and credit cards used in the cafeteria. Stay tuned to learn how not to follow in their footsteps.

The attack on Banner Health began in mid June and was discovered only a few weeks later. However, in that short window, records of 3.7 people were likely compromised.

Banner Health has locations in Alaska, Arizona, California, Colorado, Nebraska, Nevada and Wyoming.

The attackers went after both payment card information for customers of the cafeterias and patient records.

Banner is in the process of sending letters to patients, health insurance customers, cafeteria customers, doctors and other staff – basically anyone who had any business with the hospital chain.

On the credit card side, the hackers got card numbers, names, expiration dates and verification numbers.

For patient records, the attackers may have gotten names, addresses, birth dates, social security numbers, doctors names, claim information, dates of service, health insurance information and social security numbers.

From the Banner Health standpoint, things really couldn’t get much worse. It appears that the hackers had the run of the place.

Health information is highly sought after by crooks because it can fetch 25 to 100 times more money than credit card information. After all, as soon as the credit card is used once, the fraud can be detected and the card cancelled. With health care information, that information can be used for years to make fraudulent claims. And, patient attackers can wait years before starting to use it.

Already a lawsuit has been filed against the hospital chain alleging negligence due to insufficient data security policies and failing to prevent the attack. While these suits are hard to win, they are incredibly expensive to defend and are distracting for years.

While Banner is calling this two separate breaches – one discovered on July 7th and the other on July 13th, it seems like it is probably a single attack, just discovered at different times.

What this could mean – and Banner is not saying – is that the cafeterias and the patient care records were on the same network or that the hacker figured out how to bridge these two totally separate networks. This is the part where Banner could be in trouble depending on what is discovered.

In my opinion, and a lot of people agree with me, under no circumstances should the cafeteria and patient care systems be on the same network. Even if the cafeteria needs to be able to charge patients room bills for meals, there are many ways to do this without connecting the cafeteria with the patient care network.

It is important to understand that no one has said that the networks were connected, but it seems likely given the circumstances.

If it is, this is a huge mistake on the part of the hospital chain.

Segmentation and even micro segmentation has become the mantra of the security community. By isolating systems from each other, you make it much harder for attackers to gain access to multiple systems with a single attack.

Whether Banner suffered from this design flaw or not, every other company should be looking at it’s network to see if it suffers from that flaw. Otherwise, they run the risk of a much bigger breach than would be otherwise possible.

Information for this post came from Arizona Central, Modern Health Care , Arizona Central and Security Week.