PHOENIX: Banner Health has brought on Levick as part of its response to a massive cyberattack discovered last month.
Hackers accessed 3.7 million records from the hospital’s locations in Arizona, Colorado, Alaska, and Wyoming.
The hospital system identified the hack of its food and beverage outlets on July 7. A week later, it learned patients’ personal, medical, insurance, and beneficiary information was separately accessed, along with some employees’ personal information.
"You get questions regarding why didn't you announce immediately when you found out," said Bill Byron, VP of PR for Banner Health. "It takes time to get the [credit and identity monitoring] services of Kroll, to work with the ongoing investigation, and build the communications plan. The position we were trying to avoid is the information getting out, and we’re not there to support yet."
Banner is warning those affected that the two attacks potentially compromised credit card information, personal information like names, birthdates, and Social Security numbers, and medical information.
"I think calming people down is not possible once you’ve had your identity exposed or credit card exposed," Byron said. "It’s more to provide support to people who believe they have been affected. That had a calming effect, knowing there are resources available."
Banner has sent out 3.7 million letters, set up a website with details of the attack and resources, and created a dedicated call center for affected patients. The hospital system is also offering one year of free credit and identity monitoring so patients can ensure their information is not being used.
"Its engaging people where they are," said Jason Maloni, leader of the data security and privacy team at Levick, which is working on the crisis. "For employees, conversations have been handled in person, and online they’re creating resources for them such as hotline and a website. They’re doing a very good job being direct and forthright, which is the best response to cyber attacks."
Banner Health is the most recent of a series of cyberattacks on hospitals this year. MedStar Health lost access to its computer systems for days in March, and Hollywood Presbyterian Medical Center paid $17,000 to a ransomware attack in February.
"As an industry, I think we’re responding as best we can," Byron said. "But clearly we seem to be an industry that's often targeted [by cyber attacks], quite likely because of the kind of information we have access to."