Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)

Banner Health Breach Lawsuit Settled

Plaintiffs' Attorney Says Settlement Totals 'Tens of Millions of Dollars'
Banner Health Breach Lawsuit Settled

A federal court has granted preliminary approval of a multi-million dollar settlement of a consolidated class action lawsuit filed against Webinar | Identity Crisis: How to Combat Session Hijacking and Credential Theft with MDR

Under the preliminary settlement approved on Dec. 5, the Phoenix-based healthcare delivery network has agreed to pay up to $6 million to class members for reimbursement of expenses related to the breach. The court approved the settlement class as including 2.9 million individuals.

As part of the settlement of the litigation, which consolidated 11 class action lawsuits, Banner Health will also pay for two additional years of credit monitoring for settlement class members in addition to the one year of credit monitoring it originally offered.

That additional credit monitoring coverage includes up to $1 million reimbursement insurance from AIG covering losses due to identity theft and stolen funds.

Banner Health has also agreed to pay $2.9 million for legal costs incurred by plaintiffs’ attorneys in the case, settlement documents show.

Paul Stoller of the Phoenix, Arizona-based law firm Dalimonte Rueb Stoller LLP, who is a lead attorney for plaintiffs in the lawsuit, tells Information Security Media Group that the total value of the settlement is in “the tens of millions dollars.”

That includes the $6 million set aside for class members’ expense claims, the additional credit monitoring being paid for by Banner Health, plus security improvements that the healthcare provider will make as part of the agreement.

Security Improvements

Banner Health has agreed to implement “extensive information security improvements” to its enterprise, including a robust set of “future business practice commitments,” according to settlement documents. Details of those improvements are under court seal.

Stoller clarified for ISMG that the settlement covers only 2.9 million individuals, rather than the more than 3.6 million individuals listed as affected in Banner Health’s breach report, due to duplication of some individuals initially identified by the organization as victims in the incident.

Banner Health did not immediately reply to a request for comment.

What Happened?

Banner Health said in 2016 that the data breach started when attackers gained unauthorized access to payment card processing systems at some of the organization's food and beverage outlets, apparently opening the door to the attackers accessing a variety of healthcare-related information.

The hack of the card processing systems exposed cardholders' names, card numbers, expiration dates and verification codes as the data was being routed through the affected systems.

In addition to that information, Banner Health said in its statement that cyberattackers may have gained unauthorized access to patient information, health plan member and beneficiary information, as well as information about physicians and healthcare providers. Data exposed could include patient names, birthdates and addresses as well as clinical details, such as physician names, dates of service, claims information and possibly health insurance information and Social Security numbers, Banner said.

Emerging Trends

Commenting on class action lawsuit settlement trends, Steven Teppler of the law firm Mandelbaum Salsburg P.C., who was not involved in the case, tells ISMG: ”The trend is for settlements involving protected health information breaches to increase as the understanding of the long-lasting potential for identity compromise becomes more widely understood.”

“Expect negotiations to get tougher. The better course is [for organizations] to expend the resources on shoring up cybersecurity.”

Provisions calling for a breached entity to make improvements to its information security practices are increasingly common in health data breach class action settlements.

For instance, a proposed $74 million settlement approved in June of a consolidated class action lawsuit against Premera Blue Cross requires the health insurer to invest $42 million to bolster its data security (see $74 Million Settlement in Premera Lawsuits Proposed) .

Also in 2018, a $115 million settlement in lawsuit filed against Anthem in the wake of a 2014 cyberattack impacting about 79 million individuals included a provision for the health insurer to nearly triple its cybersecurity budget (see Judge Approved Final $115 Million Anthem Settlement).

Settlement Terms

Under its settlement, Banner Health will reimburse up to $6 million to class members for claims of “ordinary” and “extraordinary” expenses.

“Ordinary expenses,” which will be reimbursed up to $500 per class member, include long distance telephone charges; internet usage charges; documented costs associated with miscellaneous expenses such as notary, fax, postage, copying, and mileage; documented costs associated with credit freezes; and up to three hours of lost time compensated at $15 per hour upon attestation that time was spent as a result of the security incident.

”Personal health information is extremely valuable to threat actors, and provides an easier path to identity compromise on an ongoing basis,” Teppler notes. “While the $500 per class member is better than nothing, it doesn’t reflect providing for future Banner breach-sourced identity compromise.”

Those class members who document “extraordinary expenses” can be reimbursed up to $10,000 each, the settlement notes. Those expenses include documented credit monitoring or identity protection services obtained after receiving notice of the breach above any amounts compensated as ordinary expenses; documented professional fees and other costs incurred to address fraud, such as identity and income tax fraud; expenses tied to new account fraud, existing account fraud, account takeover and medical identity theft; fraud-related unreimbursed charges from banks or credit card companies; and reimbursement for up to 15 additional hours of lost time.

Class members have up to one year to submit claims once the settlement is finalized. A date for the final settlement was not yet set by the court.

“The conditions are onerous, and apart from the rather meager $15 hourly compensation rate … for ID issue resolution work, the time limit or filing one year from the [settlement] notice date presumes that all ID compromise happens within a predetermined - not by threat actors - settlement period,” Teppler notes.

As part of the settlement, Banner Health has also agreed to pay “incentive awards” of up to $5,000 each to the six primary plaintiffs in the class action lawsuits.

Other Troubles?

A consolidated financial statement report for 2016 and 2017 issued in March 2018 by the consultancy Ernst & Young about Banner Health noted that in addition to the healthcare system facing the consolidated class action lawsuit, it was also dealing with an investigation by HHS’ Office for Civil Rights related to the 2016 data breach (see: Financial Fallout from Data Breaches).

But OCR, which enforces HIPAA, has not yet issued any public enforcement action against Banner Health. And the agency does not comment on its breach investigations.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.