US health insurer Banner Health has written to 3.7 million customers and healthcare providers to warn that their data may have been stolen, after a cyber-attack.
The breach could have targeted data on patients, physicians and health plans.
An investigation revealed that attackers may have also accessed payment-card data at Banner Health food and drink outlets.
The firm says it has hired a forensics team to help it secure its systems.
According to Banner Health, patient and health plan information potentially stolen in the breach could contain:
- name, birth date and address
- social security number
- physician’s name
- claims and health insurance information
Personally identifiable information, including addresses and social security numbers, belonging to physicians and healthcare providers may also have been leaked.
The payment data that may have been stolen includes cardholder names, card numbers and card expiration dates.
Customers at certain locations who made food and drink payments in the two weeks between 23 June and 7 July might be affected.
“Banner Health immediately launched an investigation, hired a leading forensics firm, took steps to block the cyber-attackers and contacted law enforcement,” the company said in a statement.
It is offering a free one-year membership in monitoring services to customers and healthcare providers affected by the breach.
“There are mandatory data breach notification laws in the US, that is why they are writing to all these people,” said Nicola Fulford at law firm Kemp Little.
Ms Fulford said there was a trend of US health records being targeted by hackers.
“Health data is right up there in terms of sensitive data,” she told the BBC.
“It is perfect for ID theft. You have everything you need to make fraudulent health insurance claims, for example.”
Health insurance data has been stolen and sold on the dark web in the past.
In the UK, the NHS in England is expected to spend £1bn on cybersecurity and data consent – a quarter of the budget for a new paperless service.
“In the black market for personal information, the records with the most data are the most expensive,” said Jonathan Sander at cybersecurity company Lieberman Software.
“Healthcare information usually offers the bad guys the highest concentration of personal information per record, and therefore is the stolen goods they can sell for the most money.”