Banner Health has paid $1.25 million to settle HIPAA violations that led to a hack that exposed data of 2.81 million.
Banner Health settles hacking incident that exposed data of 2.81 million for $1.25 million
February 10, 2023
by John R. Fischer, Senior Reporter
Banner Health Affiliated Covered Entities, based in Phoenix, will pay $1.25 million to the U.S. Department of Health and Human Services for a hacking incident that leaked 2.81 million patients’ protected health information.
The incident occurred in 2016, with the hacker accessing patient names, physician names, dates of birth, addresses, social security numbers, clinical details, dates of service, claims information, lab results, medications, diagnoses and conditions, and health insurance information.
An investigation found Banner Health was, for a long time, not compliant with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, lacking analysis of potential vulnerabilities to its electronic PHI (protected health information) across the organization; sufficient monitoring of health information system cybersecurity measures; an authentication process; and measures for protecting PHI from unauthorized access when transmitted.
“It is imperative that hospitals and other covered entities and business associates be vigilant in taking robust steps to protect their systems, data and records, and this begins with understanding their risks, and taking action to prevent, respond to and combat such cyberattacks,” said OCR Director Melanie Fontes Rainer in a statement.
Banner Health is one of the largest nonprofit health systems in the U.S., operating in six states with more than 50,000 employees.
Along with the settlement amount, the organization will abide by a comprehensive corrective action plan that complies with the HIPAA Security Rule, and will be monitored for two years by OCR.
The plan's steps are:
The incident occurred in 2016, with the hacker accessing patient names, physician names, dates of birth, addresses, social security numbers, clinical details, dates of service, claims information, lab results, medications, diagnoses and conditions, and health insurance information.
An investigation found Banner Health was, for a long time, not compliant with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, lacking analysis of potential vulnerabilities to its electronic PHI (protected health information) across the organization; sufficient monitoring of health information system cybersecurity measures; an authentication process; and measures for protecting PHI from unauthorized access when transmitted.
“It is imperative that hospitals and other covered entities and business associates be vigilant in taking robust steps to protect their systems, data and records, and this begins with understanding their risks, and taking action to prevent, respond to and combat such cyberattacks,” said OCR Director Melanie Fontes Rainer in a statement.
Banner Health is one of the largest nonprofit health systems in the U.S., operating in six states with more than 50,000 employees.
Along with the settlement amount, the organization will abide by a comprehensive corrective action plan that complies with the HIPAA Security Rule, and will be monitored for two years by OCR.
The plan's steps are:
- Conducting accurate and thorough risk analysis to identify vulnerabilities to electronic patient/system data across the organization
- Implementing a risk management plan to address risks to confidentiality, integrity and availability of ePHI
- Developing policies for risk analysis and risk management plans, regularly reviewing activity within information systems, an authentication process, and security measures to protect electronic PHI from unauthorized access when transmitted
- Reporting to HHS within 30 days when workforce members fail to comply with the HIPAA Security Rule