Feds Smack Banner Health With $1.25 Million Fine in Breach2016 Hacking Incident Affected Nearly 3 Million People
Federal regulators hit multistate hospital system Banner Health with a $1.25 million HIPAA fine in the wake of a 2016 hacking breach that affected nearly 3 million individuals.
The enforcement action against the Phoenix, Arizona-based nonprofit, announced Thursday, is the first seven-figure monetary settlement in a HIPAA breach case by the Department of Health and Human Services' Office for Civil Rights since January 2021.
Over the last two years, the office has focused more on obtaining settlements against organizations in cases involving alleged violations of patients' rights to access health records (see: Lab Fined $16K for Long Delay in Providing Patient Records). Expensive settlements against recognized brands such as Banner have been the exception.
"Hackers continue to threaten the privacy and security of patient information held by healthcare organizations, including our nation's hospitals," said OCR Director Melanie Fontes Rainer in a statement.
Besides paying the monetary settlement, Banner Health pledged to implement a corrective action plan that includes conducting a thorough security risk assessment and developing and implementing a risk management plan to address security risks to electronic personal health information.
HHS OCR initiated an investigation in November 2016 after Banner reported that a threat actor had gained unauthorized access to its systems in a hack potentially affecting millions of individuals.
The PHI of about 2.81 million individuals was compromised in the incident, including patient names, physician names, birthdates, addresses, Social Security numbers, clinical details, dates of service, claims information, lab results, medications, diagnoses and conditions, and health insurance information, HHS OCR says.
Banner Health in a 2016 statement said the breach started when attackers gained unauthorized access to payment card processing systems at some of the organization's food and beverage outlets, apparently opening the door to the attackers accessing a variety of healthcare-related information (see: Banner Health Breach Affects 3.7 Million).
The hack of the card processing systems exposed cardholders' names, card numbers, expiration dates and verification codes as the data was being routed through the affected systems.
In addition to that payment information, Banner Health said in its 2016 statement that cyberattackers may have gained unauthorized access to patient information. Banner Health initially reported the incident as affecting 3.7 million individuals.
Banner Health's settlement with HHS OCR also follows a 2020 multimillion-dollar civil settlement in a proposed class action lawsuit (see: Banner Health Breach Lawsuit Settled).
Banner Health, which operates 30 hospitals in six states, did not immediately respond to Information Security Media Group's request for comment.