Banner Health paid $1.25 million to resolve federal data breach probe
Phoenix-based Banner Health has paid $1.25 million to settle a federal probe into a massive 2016 data breach from a hacking incident that disclosed the protected health information of roughly 2.8 million consumers.
Investigators found evidence of "long term, pervasive noncompliance with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule across Banner Health's organization."
The U.S. Department of Health and Human Services' Office for Civil Rights announced the settlement this week.
Banner Health, which is the largest health care delivery system in Arizona and one of the largest nonprofit health systems in the country, has also agreed to implement a corrective action plan to better protect the security of electronic patient health information, federal officials said.
Banner Health officials on Friday did not respond to specific questions about the settlement but said in a written statement that after its computer servers were compromised in a cyber attack. The company self-reported the breach to the HHS Office for Civil Rights. They also notified impacted parties and regulatory agencies and conducted their own investigation, implementing "a variety of safeguards to reduce the likelihood of a similar incident occurring," Banner spokesperson Becky Armendariz wrote in an email.
The company entered the federal settlement voluntarily and is "pleased to resolve this matter and will continue to work diligently in the best interests of our patients, employees and physicians," Armendariz wrote.
Mental health:Phoenix clinic founders pursue 'ideal' approach for addressing mental needs
The company's potential violations of the HIPAA Security Rule are a "serious concern given the size of this covered entity," wrote federal officials, who began their investigation into the Banner Health data breach in November 2016.
"Organizations must be proactive in their efforts to regularly monitor system activity for hacking incidents and have measures in place to sufficiently safeguard patient information from risk across their entire network," they said in their news release announcing the settlement.
Banner Health announced on Aug. 3, 2016, that it had sent letters to 3.7 million people, informing them that cyber criminals may have gained unauthorized access to personal information, including names, birth dates, addresses, physician names, and possibly health insurance information and Social Security numbers if they were provided to Banner Health.
Among those notified were patients, health plan members and beneficiaries, food and beverage customers, physicians and health care providers. The attack happened after hackers gained access to Banner's food and beverage payment systems and quickly moved to other servers that contained individuals' medical and personal information.
When the breach happened, Banner initially gave those affected a year of free credit monitoring.
Nonprofits protecting people:How nonprofits are filling in Arizona's health care gaps
Estimates of the number of people affected by the cyber attack have varied, but federal officials in their news release placed it at about 2.8 million consumers.
The cyber attack at Banner was the largest health care data breach of 2016, according to HIPAA Journal.
The federal settlement relates to Banner's potential violation of the HIPAA Security Rule, which aims to protect health information and data from cybersecurity attacks, federal officials said in a news release.
Federal officials say Banner Health's specific potential violations included:
A lack of analysis to determine risks and vulnerabilities to electronically protected health information.
Insufficient monitoring of health information systems’ activity to protect against a cyber attack.
Failure to implement an authentication process to safeguard electronically protected health information.
Failure to have security measures in place to protect electronically protected health information from unauthorized access when it was being transmitted electronically.
In addition to the monetary settlement, Banner Health agreed to a corrective plan that includes conducting a risk analysis to determine risks and vulnerabilities to electronic patient and system data. The health system also agreed to report to the U.S. Department of Health and Human Services within 30 days when workforce members fail to comply with the HIPAA Security Rule.
“Hackers continue to threaten the privacy and security of patient information held by health care organizations, including our nation’s hospitals," Melanie Fontes Rainer, HHS Office for Civil Rights director, said in a written statement. “It is imperative that hospitals and other covered entities and business associates be vigilant in taking robust steps to protect their systems, data, and records, and this begins with understanding their risks, and taking action to prevent, respond to and combat such cyber-attacks."
After the data breach, Banner Health faced a flurry of lawsuits that eventually were consolidated into a class action that was later settled. Under terms of the settlement, those affected could file claims for expenses connected to the breach.
Reach the reporter at Stephanie.Innes@gannett.com or at 602-444-8369. Follow her on Twitter @stephanieinnes.
This article originally appeared on Arizona Republic: Banner Health paid $1.25 million to resolve federal data breach probe