Slashdot Mirror

← Back to Stories (view on slashdot.org)

Banner Health Alerts 3.7 Million Potential Victims of Hack (bannerhealth.com)

Posted by BeauHD on from the victims-of-cyber-attacks dept.

New submitter Netdoctor writes: Apparently Banner Health is the latest victim of a cyber attack, with the Health conglomerate reporting on two incidents in July. While not all Banner customers were affected, payment details as well as customer information were leaked, according to their news brief. Some 3.7 million people are potentially affected by the attack, including patients, health plan members, healthcare providers and customers at its food and beverage outlets. Card payments for medical services appear to be safe. The company is offering a free one-year membership in monitoring services to those who are affected by the breach. Banner Health said in a statement: âoeThe patient and health plan information may have included names, birthdates, addresses, physiciansâ(TM) names, dates of service, claims information, and possibly health insurance information and social security numbers, if provided to Banner Health."

19 of 30 comments (clear)

  1. Good timing by Anonymous Coward · · Score: 5, Funny

    I only have six free credit monitoring services from previous breaches and two are set to expire in a few months.

  2. I think it's time for the corporate death penalty. by dgatwood · · Score: 2

    We keep seeing companies losing the highly private health data of millions of people. At this point, in my opinion, the only thing that will stop this is a couple of high-profile companies getting successfully sued or fined out of existence. If companies see the most likely punishment as a small slap on the wrist with little chance of getting caught in the first place, then they'll continue to be sloppy with medical records and other similarly private data. If a couple of dozen insurance companies went Chapter 7 overnight, that would serve as sufficient warning to others that this sort of nonsense will not be tolerated, and the others would be forced to pay attention and take security and privacy seriously.

    --

    Check out my sci-fi/humor trilogy at PatriotsBooks.

  3. Why Try by psyclone · · Score: 3, Insightful

    Why even try to secure information anymore - just make it all public.

    Only need a way to not use all this info to spoof an identity for financial gain. If the Social Security Admin listed all the names & birthdays & numbers online, I'm sure industry would figure it out. Right?

    1. Re:Why Try by ShanghaiBill · · Score: 3, Insightful

      Why even try to secure information anymore - just make it all public.

      Bingo. This is the solution. It is idiotic to have numbers, including SSNs and CC numbers, that need to be both secret and widely known. Everyone I have ever done business with (as an employee, contractor, contractee, patient, client, etc.) knows my SSN. Every waiter in most local restaurants has had access to my CC numbers along with the super secret 3-digit code that is printed directly on the card in plain view. It is absurd that someone can establish and use credit in my name with mere knowledge of these numbers. These numbers should be public so there can be no presumption that they are secret, and there should be a separate system of authentication that is not based on knowing semi-public information.

    2. Re:Why Try by bjdevil66 · · Score: 1

      Did you just mean making SSNs public? They should be public info, like our names/address, but the number is being used as both an ID (by some) AND the password (by others). It should only be used as a ID key; utilizing it as a password is asinine.

      If you meant ALL information public... That would be ok as long as it remained as anonymous data (which makes it worthless). Once it becomes "information" (grouped into meaningful data about something or someone), no thanks. If you want to, go ahead - but we'll be expecting all of your dick picks be posted alongside everyone else's - with names, addresses, phone, email, @twitter name, facebook account, etc.

    3. Re:Why Try by bjdevil66 · · Score: 1

      And I agree that the financial industry (and anyone else who stores anything of value) would have to abandon the SSN as a key to access to our assets, but we'd just have to come up with some other replacement. We won't be able to share everything (all information) like that until we're all ready to share/give anything of ours to anyone else without question - in some kind of utopian community, where nobody wants to be better than their neighbor when it comes to physical wealth. We're still a little ways off from that...

    4. Re:Why Try by psyclone · · Score: 1

      I only meant what most people classify as personally identifiable, but already shared information: name, address, phone numbers, email, social media handles, SSN, birthdate, stuff like that.

      We need some other mechanism than a hidden number that is shared with many institutions to verify identity. And biometric data doesn't work either as it can be cloned (e.g. 3D print a fingerprint from a scan, etc).

  4. Do you feel safer? by JcMorin · · Score: 1

    With all those monitoring do you feel safer that nobody can do harm with your personal information?

    1. Re:Do you feel safer? by ShanghaiBill · · Score: 1

      With all those monitoring do you feel safer that nobody can do harm with your personal information?

      Yes. I received free monitoring from Home Depot, and my wife got it from Target. So now we get an email alert anytime anyone makes a credit inquiry or applies for credit in our name. That is helpful, but it would make WAY more sense for that to be the default, rather than a special service. These monitoring services are due to expire soon, but I am hoping I will be the victim of yet another breach so I can get another year for free.

    2. Re:Do you feel safer? by tlhIngan · · Score: 1

      So now we get an email alert anytime anyone makes a credit inquiry or applies for credit in our name. That is helpful, but it would make WAY more sense for that to be the default, rather than a special service.

      But it won't make the credit reporting agencies any money.

      Ever notice how hard it is to get your one free credit report? You normally have to send them a letter by snail mail with a bunch of information on it. And not only do they not provide a simple form to fill out and mail, they want you to write it. In the meantime, they say for $20/year, you can get full access to your credit report 24/7. And repeat it with the other agencies as well.

      That's why those monitoring agencies even exist - either they're sponsored by the credit agencies to extract money form the user, or a third party to navigate the annoyingly complex way the credit agencies

    3. Re:Do you feel safer? by ShanghaiBill · · Score: 1

      Ever notice how hard it is to get your one free credit report?

      No. I go to freecreditreport.com, answer a few security questions to prove I am me, and get my report. Takes about 30 seconds.

      You normally have to send them a letter by snail mail with a bunch of information on it.

      Baloney. I have never had to do that.

  5. Re:I think it's time for the corporate death penal by ArmoredDragon · · Score: 1

    We keep seeing companies losing the highly private health data of millions of people. At this point, in my opinion, the only thing that will stop this is a couple of high-profile companies getting successfully sued or fined out of existence. If companies see the most likely punishment as a small slap on the wrist with little chance of getting caught in the first place, then they'll continue to be sloppy with medical records and other similarly private data. If a couple of dozen insurance companies went Chapter 7 overnight, that would serve as sufficient warning to others that this sort of nonsense will not be tolerated, and the others would be forced to pay attention and take security and privacy seriously.

    Now that you're done with your call to have warning signs written in their blood with accompanying heads on a pike in order to form a lynch mob that you will so gloriously lead and people will forever hail your name, somebody should mention that Banner isn't exactly a wall-street darling since it's a non-profit organization. Furthermore if they were fined or otherwise sued out of existence, it would kind of suck for people like me who are presently listed for organ transplant through them, in addition to those receiving services through their local MD Anderson branch and other chronic care facilities.

  6. Re:I think it's time for the corporate death penal by Anonymous Coward · · Score: 1

    this is at least partially the government's fault for mandating electronic health records. if it's digital it is easier to duplicate; if it's online, it is practically an invitation to hack. combine the two it is destined to be an absolute failure.

    how many breeches of patient data were there when records were on paper?

  7. Re:I think it's time for the corporate death penal by dgatwood · · Score: 1

    I can't give them a free pass just for being a nonprofit. The same HIPAA laws apply to them as to a for-profit company. And somebody will get screwed if any health insurance/care provider (for-profit or otherwise) disappears or has to scale back because of huge financial overruns from fines due to gross negligence with patient data. But the alternative to that is to not punish anyone for HIPAA violations, and if there's no punishment for breaking the law, there's no incentive to do the right thing, and no one will.

    I really don't see any other solution besides the whole "head on a pike" thing, except perhaps piercing the corporate veil and pressing criminal charges against a bunch of high-ranking executives. That might work, but only if the courts upheld it.

    --

    Check out my sci-fi/humor trilogy at PatriotsBooks.

  8. Re:I think it's time for the corporate death penal by ShanghaiBill · · Score: 1

    the only thing that will stop this is a couple of high-profile companies getting successfully sued or fined out of existence.

    That would likely have the opposite effect: It would encourage companies to cover up breaches, and notify no one. Most experts already believe that only a small fraction of breaches are publicly reported. Draconian punishment of those trying to be responsible would not be helpful.

  9. Thoughts and prayers by ThatsNotPudding · · Score: 1

    The corporate equivalent to useless 'thoughts and prayers': one year of credit monitoring.

    Funny how one set of human laws never apply to corporate 'persons': Responsibility.

    1. Re:Thoughts and prayers by The-Ixian · · Score: 1

      I guess it is a good time to be in the credit monitoring business...

      --
      My eyes reflect the stars and a smile lights up my face.
  10. Re:I think it's time for the corporate death penal by ArmoredDragon · · Score: 1

    I didn't say give them a free pass. What I'm saying is that if they were sued out of existence, that would suck for a LOT of people first of all, second of all, it's interesting how of all parties involved in this, you choose to blame the victim the most.

    Besides, with how the industry works, Banner will very likely see a fine in the hundreds of millions of dollars. Just a few weeks ago another hospital got fined 10 million just for having an unsecured wifi that didn't even connect to their internal network, and no data loss or breach had otherwise occurred, so you can see how ruthless club fed is in this department. I work in IT for a health care company (not Banner, if you must ask) myself, and in spite of your best efforts even following all of the best protocols and standards, zero days happen and careless janitors and other necessary but not necessarily mindful employees happen. When you're in any kind of large 1000+ employee company, your armor is quite vast, and all it takes is a little tiny chink.

  11. details on the hack! by zlives · · Score: 1

    the actual data attack has no real info, i can see public payment computers/kiosks for foodmart hacked ala Target POS hack, but the system hack of data how was that accomplished unless the payment processing public terminals are also connected to their internal databases? or they have other systemic problems!