Banner Health breach potentially affects millions

Banner Health reported a cyberattack potentially affecting the protected health information (PHI) and payment card data of 3.7 million patients, members, beneficiaries, food and beverage outlet customers, and providers. The nonprofit health system, the largest private employer in Arizona, discovered the attack on the computer systems that process payment card data at certain Banner Health food and beverage outlets on July 7, 2016, and on a limited number of its computer servers on July 13, 2016. After launching an immediate investigation, Banner learned that the attacks began on June 17, 2016. Banner is contacting individuals whose data may have been compromised by mail and will make them aware of free credit protections the company is offering.

Affected data

The data compromised depend on individuals’ relationships with Banner. Improperly disclosed information may include:

  • Patients: names, birthdates, addresses, physicians’ names, dates of service, clinical information, health insurance information, and social security numbers, if one was provided to Banner Health.
  • Members and beneficiaries: names, birthdates, social security numbers, addresses, dates of service and claims information, and health insurance information as a current or former member of a Banner Health health plan, or as a beneficiary of a Banner Health employee benefits plan.
  • Food and beverage outlet customers: payment card data, including cardholder name, card number, expiration date and internal verification code. Specifically, payment cards used at food and beverage outlets at certain Banner Health locations between June 23, 2016, and July 7, 2016, may have been affected.
  • Providers: names, addresses, dates of birth, Drug Enforcement Agency (DEA) numbers, Taxpayer Identification Numbers (TINs), National Provider Identifiers (NPIs), or social security numbers.


It is possible that Banner’s point-of-sale systems were connected to its clinical systems, something that is generally frowned upon by cybersecurity experts, who recommend network segmentation (see Want to safeguard PHI? Involve your workforce, protect your network, Health Law Daily, May 17, 2016). Segmentation involves segregating areas of the network and limiting access to those people, servers, and applications that need it, thereby preventing hackers who enter a system from gaining complete control.


As a covered entity (CE) under the Health Information Portability and Accountability Act (HIPAA) (P.L. 104-191), Banner is required to report breaches of PHI to affected individuals, the media, and the HHS Office for Civil Rights (OCR), consistent with the Breach Notification Rule.