Slashdot Mirror
Banner Health Alerts 3.7 Million Potential Victims of Hack (bannerhealth.com)
New submitter Netdoctor writes: Apparently Banner Health is the latest victim of a cyber attack, with the Health conglomerate reporting on two incidents in July. While not all Banner customers were affected, payment details as well as customer information were leaked, according to their news brief. Some 3.7 million people are potentially affected by the attack, including patients, health plan members, healthcare providers and customers at its food and beverage outlets. Card payments for medical services appear to be safe. The company is offering a free one-year membership in monitoring services to those who are affected by the breach. Banner Health said in a statement: âoeThe patient and health plan information may have included names, birthdates, addresses, physiciansâ(TM) names, dates of service, claims information, and possibly health insurance information and social security numbers, if provided to Banner Health."
I only have six free credit monitoring services from previous breaches and two are set to expire in a few months.
We keep seeing companies losing the highly private health data of millions of people. At this point, in my opinion, the only thing that will stop this is a couple of high-profile companies getting successfully sued or fined out of existence. If companies see the most likely punishment as a small slap on the wrist with little chance of getting caught in the first place, then they'll continue to be sloppy with medical records and other similarly private data. If a couple of dozen insurance companies went Chapter 7 overnight, that would serve as sufficient warning to others that this sort of nonsense will not be tolerated, and the others would be forced to pay attention and take security and privacy seriously.
Check out my sci-fi/humor trilogy at PatriotsBooks.
>successfully sued
Have you lost your mind?! *You* were sold to *them*. But good luck with the lawsuit.
Why even try to secure information anymore - just make it all public.
Only need a way to not use all this info to spoof an identity for financial gain. If the Social Security Admin listed all the names & birthdays & numbers online, I'm sure industry would figure it out. Right?
When I met her, my new friend was an unapologetic drug addict. With my influence, she came to appreciate that being addicted to the street pharmacy's products sucks, and she decided to quit everything cold-turkey. She ended up at the "behavioral health" wing of a Banner hospital.
She came out of her substance-induced psychosis in about a week, and gave me a call. A few days later I realized they wouldn't let her go because they'd started the process to send her for psychiatric torture. I went to the courts. The superior court commissioner investigated, determined the hospital's confinement of their patient was not legal, and ordered they let her go.
I made a minor mistake, and was not able to immediately get her off their campus, and the Banner hospital figured out how to get her off their property very quickly.
Court-ordered Psychiatry is a farce. I found Robert Whitaker's books last fall, after all this went down, and I think he's exactly right. Anatomy of an Epidemic makes the case that psychiatric drugs make people's transient mental problems permanent.
tl/dr: Avoid psychiatry as if your life depends on it.
Big Government -> small people.
We voted big, now we are small.
One year of free credit monitoring is total BS - for people who's information was leaked and gets used for identity theft or other nefarious purposes they will spend a lot more time and money trying to fix things than the minimal cost to Banner Health for a paltry amount of credit monitoring. Companies in general but especially companies with sensitive information should be held to a high level of penalty in cases like this so that they feel real pain when data is breeched. Today the impact is so minimal I would bet real $$ that there is some bean counter somewhere that says the cost of the fine is less than the cost of hardening the systems so let's roll the dice...
With all those monitoring do you feel safer that nobody can do harm with your personal information?
customers at its food and beverage outlets
Good god! Have you TASTED hospital food? That shit makes the cardboard airline sandwiches seem delicious. Identity theft and credit card fraud is going to be the very least of their problems.
Scare the industry with muahahaha hax0rz then sell "security" to the whole industry. Nobody else notices this trend?
We keep seeing companies losing the highly private health data of millions of people. At this point, in my opinion, the only thing that will stop this is a couple of high-profile companies getting successfully sued or fined out of existence. If companies see the most likely punishment as a small slap on the wrist with little chance of getting caught in the first place, then they'll continue to be sloppy with medical records and other similarly private data. If a couple of dozen insurance companies went Chapter 7 overnight, that would serve as sufficient warning to others that this sort of nonsense will not be tolerated, and the others would be forced to pay attention and take security and privacy seriously.
Now that you're done with your call to have warning signs written in their blood with accompanying heads on a pike in order to form a lynch mob that you will so gloriously lead and people will forever hail your name, somebody should mention that Banner isn't exactly a wall-street darling since it's a non-profit organization. Furthermore if they were fined or otherwise sued out of existence, it would kind of suck for people like me who are presently listed for organ transplant through them, in addition to those receiving services through their local MD Anderson branch and other chronic care facilities.
this is at least partially the government's fault for mandating electronic health records. if it's digital it is easier to duplicate; if it's online, it is practically an invitation to hack. combine the two it is destined to be an absolute failure.
how many breeches of patient data were there when records were on paper?
I can't give them a free pass just for being a nonprofit. The same HIPAA laws apply to them as to a for-profit company. And somebody will get screwed if any health insurance/care provider (for-profit or otherwise) disappears or has to scale back because of huge financial overruns from fines due to gross negligence with patient data. But the alternative to that is to not punish anyone for HIPAA violations, and if there's no punishment for breaking the law, there's no incentive to do the right thing, and no one will.
I really don't see any other solution besides the whole "head on a pike" thing, except perhaps piercing the corporate veil and pressing criminal charges against a bunch of high-ranking executives. That might work, but only if the courts upheld it.
Check out my sci-fi/humor trilogy at PatriotsBooks.
Instead of credit monitoring, why don't we solve the real problem and start holding CRAs and creditors liable for defamation if they misrepresent our credit profiles by reporting identity thieves' actions as our own? Add some rules in there to limit the shenanigans they can use to fling greasy lawyers at the system. The FCRA is better than nothing but doesn't go far enough. The CRAs need to start bearing more of the costs they're creating with their business models.
the only thing that will stop this is a couple of high-profile companies getting successfully sued or fined out of existence.
That would likely have the opposite effect: It would encourage companies to cover up breaches, and notify no one. Most experts already believe that only a small fraction of breaches are publicly reported. Draconian punishment of those trying to be responsible would not be helpful.
The corporate equivalent to useless 'thoughts and prayers': one year of credit monitoring.
Funny how one set of human laws never apply to corporate 'persons': Responsibility.
I didn't say give them a free pass. What I'm saying is that if they were sued out of existence, that would suck for a LOT of people first of all, second of all, it's interesting how of all parties involved in this, you choose to blame the victim the most.
Besides, with how the industry works, Banner will very likely see a fine in the hundreds of millions of dollars. Just a few weeks ago another hospital got fined 10 million just for having an unsecured wifi that didn't even connect to their internal network, and no data loss or breach had otherwise occurred, so you can see how ruthless club fed is in this department. I work in IT for a health care company (not Banner, if you must ask) myself, and in spite of your best efforts even following all of the best protocols and standards, zero days happen and careless janitors and other necessary but not necessarily mindful employees happen. When you're in any kind of large 1000+ employee company, your armor is quite vast, and all it takes is a little tiny chink.
Right now, every BEAUHD story on front page is some spy shit like hacks, or bait.
Social Engineering solo or for the government BEAUHD?
the actual data attack has no real info, i can see public payment computers/kiosks for foodmart hacked ala Target POS hack, but the system hack of data how was that accomplished unless the payment processing public terminals are also connected to their internal databases? or they have other systemic problems!