A cyberattack at Phoenix-based Banner Health compromised the private records of 3.7 million people, the company announced Wednesday.
The attack, which breached both patient records and payment-card records of food and beverage customers, affected everyone from patients and health-insurance-plan members to food and drink customers, and doctors, The Arizona Republic reported.
Discovered in late June, the attack is the largest among 32 cyberattacks against Arizona-based health and medical providers since 2010, the Repubic noted. It is the eighth largest among all breaches of healthcare information involving 500 or more individuals since September 2009, Modern Healthcare reported, citing the U.S. Department of Health and Service's Office for Civil Rights.
Medical records are an attractive target for hackers who use the details to fraudulently bill insurers.
"Most Americans don't understand what goes on your medical records," Bob Gregg, chief executive of Portland, Ore.-based ID Experts, told the Republic. "It's a treasure trove of information."
Banner Heath said it would offer one-year memberships in credit-monitoring services for those affected by the security breach to monitor whether hackers are misusing the information, the company said in a news release.
On July 7, an attack compromised payment-card data used at locations in
Arizona, Alaska, Colorado and Wyoming from June 23 through July 7. Those locations are listed on Banner Health's website. On July 13, officials discovered that hackers also may have accessed patient and health-insurance records.
The attack didn't affect payment-card information for transactions related to medical expenditures, The Phoenix Business Journal reported.
"Banner Health encourages its food and beverage customers to remain vigilant to the possibility of fraud by reviewing their payment card statements for any unauthorized activity. These customers should immediately report any unauthorized charges to their card issuer because payment card rules generally provide that cardholders are not responsible for unauthorized charges reported in a timely manner," the company said.
Twitter users expressed concern about the cyberattack.