Healthcare , HIPAA/HITECH , Industry Specific

Feds Smack Banner Health With $1.25 Million Fine in Breach

2016 Hacking Incident Affected Nearly 3 Million People
Feds Smack Banner Health With $1.25 Million Fine in Breach
Banner Ocotillo Medical Center in Chandler, Arizona, is one of 30 hospitals Banner Health operates in six states. (Image: Banner Health)

Federal regulators hit multistate hospital system Banner Health with a $1.25 million HIPAA fine in the wake of a 2016 hacking breach that affected nearly 3 million individuals.

See Also: Panel Discussion | Accelerate HITRUST certification for faster time-to-market and improved ROI

The enforcement action against the Phoenix, Arizona-based nonprofit, announced Thursday, is the first seven-figure monetary settlement in a HIPAA breach case by the Department of Health and Human Services' Office for Civil Rights since January 2021.

Over the last two years, the office has focused more on obtaining settlements against organizations in cases involving alleged violations of patients' rights to access health records (see: Lab Fined $16K for Long Delay in Providing Patient Records). Expensive settlements against recognized brands such as Banner have been the exception.

"Hackers continue to threaten the privacy and security of patient information held by healthcare organizations, including our nation's hospitals," said OCR Director Melanie Fontes Rainer in a statement.

Besides paying the monetary settlement, Banner Health pledged to implement a corrective action plan that includes conducting a thorough security risk assessment and developing and implementing a risk management plan to address security risks to electronic personal health information.

Breach Details

HHS OCR initiated an investigation in November 2016 after Banner reported that a threat actor had gained unauthorized access to its systems in a hack potentially affecting millions of individuals.

The PHI of about 2.81 million individuals was compromised in the incident, including patient names, physician names, birthdates, addresses, Social Security numbers, clinical details, dates of service, claims information, lab results, medications, diagnoses and conditions, and health insurance information, HHS OCR says.

Banner Health in a 2016 statement said the breach started when attackers gained unauthorized access to payment card processing systems at some of the organization's food and beverage outlets, apparently opening the door to the attackers accessing a variety of healthcare-related information (see: Banner Health Breach Affects 3.7 Million).

The hack of the card processing systems exposed cardholders' names, card numbers, expiration dates and verification codes as the data was being routed through the affected systems.

In addition to that payment information, Banner Health said in its 2016 statement that cyberattackers may have gained unauthorized access to patient information. Banner Health initially reported the incident as affecting 3.7 million individuals.

Banner Health's settlement with HHS OCR also follows a 2020 multimillion-dollar civil settlement in a proposed class action lawsuit (see: Banner Health Breach Lawsuit Settled).

Banner Health, which operates 30 hospitals in six states, did not immediately respond to Information Security Media Group's request for comment.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.