Twenty-seven food and beverage locations in Alaska, Arizona, Colorado and Wyoming were among the areas compromised in a large-scale data breach at Banner Health affecting up to 3.7 million people, the healthcare provider announced this week.
“On July 7, 2016, Banner Health discovered that cyber attackers may have gained unauthorized access to computer systems that process payment card data at food and beverage outlets at some Banner Health locations,” the provider said in a news release. “The attackers targeted payment card data, including cardholder name, card number, expiration date and internal verification code, as the data was being routed through affected payment processing systems” during a period from June 23-July 7. Joshua Fels, director of culinary and nutrition services at Banner University Medical Center in Phoenix was unavailable for comment.
Banner says the attackers have since been blocked, and it is now safe to use payment cards at food and beverage outlets. Patients, health plan members, health plan beneficiaries, physicians and healthcare providers, and food and beverage customers who were affected by this incident are being offered free one-year memberships to credit monitoring services.
The Arizona Republic reports that the Banner Health attack is the latest and largest among 32 known data breaches involving that state’s health and medical providers since 2010, according to a list maintained by the U.S. Department of Health and Human Services. Most of the data breaches among Arizona healthcare providers stemmed from lost or stolen laptops, computer drives or paper documents, the Republic reports.
CSP Magazine, FoodService Director’s sister publication, has identified four areas that operators should safeguard with regard to personal data, and how to protect them.
Payment
What: Credit and debit card numbers, including “track data” found on magnetic-stripe payment cards.
Where: Point-of-sale, higher-end PIN pads, electronic payment server or forecourt controller, back-office computer, company network and central database or server. Other devices with connections to the network could also view data.
Ways to protect: Make sure all devices have application control capabilities to “whitelist” programs. This allows only predetermined programs to operate. Other tactics include data encryption and segmenting the payment network.
Loyalty, Marketing & Sensitive Data
What: Information collected to run loyalty programs and communicate special promotions or offers to issue company-branded credit cards and internal information on pricing, sales and strategies.
Where: POS, PIN pads, network, back-office computers, employee laptops and mobile devices, and corporate servers.
Ways to protect: Firewalls, passwords, employee training, limited access and strong authorization processes in place. Protect data via encryption and employ automated solutions to monitor for intrusions or allow only certain programs to run.
Employees
What: Data needed to hire, schedule, train, review and pay employees.
Where: Back-office computers, network and corporate servers.
Ways to protect: Secure in the same ways as loyalty programs and business-sensitive data, implementing strong authorization models and strictly limiting types of information to those who absolutely need it.
Third Party
What: Information a third party, such as a loyalty program provider, would hold regarding people’s personal data, including customer and employee information or sensitive data regarding company operations.
Where: On third-party computers, networks, devices and servers.
Ways to protect: Write contracts stipulating security requirements, ask for certifications, demand proof of security claims and use vendors with strong reputations for maintaining high security standards.
Angel Abecede contributed to this report.