Banner Health pays $1.25 million to settle cybersecurity breach involving 3 million patients

Banner Health Affiliated Covered Entities (Banner Health), a nonprofit health system headquartered in Arizona, has paid $1.25 million to the HHS Office of Civil Rights (OCR) to settle a HIPAA investigation around a 2016 cybersecurity breach. 

The incident involved a hacker breaching the health system’s infrastructure and exposing personal information on close to 3 million patients. The hacker accessed a variety of HIPAA-protected personal health information (PHI), including patient names, physician names, dates of birth, addresses, Social Security numbers, clinical details, dates of service, claims information, lab results, medications, diagnoses and conditions, and health insurance information. 

“Hackers continue to threaten the privacy and security of patient information held by health care organizations, including our nation’s hospitals,” said OCR Director Melanie Fontes Rainer. “It is imperative that hospitals and other covered entities and business associates be vigilant in taking robust steps to protect their systems, data, and records, and this begins with understanding their risks, and taking action to prevent, respond to and combat such cyber-attacks.” 

According to OCR, the potential violations “specifically include: the lack of an analysis to determine risks and vulnerabilities to electronic protected health information across the organization, insufficient monitoring of its health information systems’ activity to protect against a cyber-attack, failure to implement an authentication process to safeguard its electronic protected health information, and failure to have security measures in place to protect electronic protected health information from unauthorized access when it was being transmitted electronically.” 

OCR states that its investigation found evidence of “long-term, pervasive noncompliance” with the HIPAA Security Rule, a major concern for one of the largest non-profit health systems in the country. 

On top of the $1.25 million monetary settlement, Banner Health has agreed to make changes to its privacy and security protocols, including conducting a thorough risk analysis of potential vulnerabilities and implementing a risk management plan to address possible weak points in the confidentiality of electronic PHI. The health system will also regularly review activities within its systems to further safeguard data and contact HHS with a report on any failures to comply with the HIPAA Security Rule within 30 days. 

OCR will monitor the health system’s corrective action plan for two years to ensure compliance. 

The settlement – and the incident that led to it – is not an isolated incident by any means.  In 2022, OCR recorded close to 600 data breaches, including ransomware and hacking incidents, across the healthcare sector, affecting millions of patients.   

While cybersecurity insurance is growing in popularity as a way to mitigate the financial and reputational risks of a breach, there is no substitute for primary prevention through thorough compliance with the HIPAA Privacy Rule. 

“The Office for Civil Rights provides help and support to health care organizations to protect against cybersecurity threats and comply with their obligations under the HIPAA Security Rule,” Fontes Rainer added. “Cybersecurity is on all of us, and we must take steps to protect our health care systems from these attacks.” 

Jennifer Bresnick is a journalist and freelance content creator with a decade of experience in the health IT industry.  Her work has focused on leveraging innovative technology tools to create value, improve health equity, and achieve the promises of the learning health system.  She can be reached at jennifer@inklesscreative.com.