Phoenix-based Banner Health, one of the largest healthcare systems in the U.S., has agreed to pay $6 million to breach victims to resolve a lawsuit stemming from a 2016 cybersecurity incident in which attackers gained unauthorized access to computer systems that process payment card data at food and beverage outlets at certain Banner locations.
That 2016 breach involved cyber attackers targeting payment card data, including cardholder name, card number, expiration date and internal verification code, as the data was being routed through affected payment processing systems.
The investigation at the time initially revealed that the attack did not affect payment card payments used to pay for medical services, but Banner Health later learned that the attackers may have indeed gained unauthorized access to patient information, health plan member and beneficiary information, as well as information about physicians and healthcare providers. How the hack expanded from certain food and beverage outlets to patient information systems has remained somewhat unclear, but ultimately, hackers had access to Banner Health systems for approximately two weeks.
The health system ended up mailing letters to 3.7 million patients, health plan members and beneficiaries, food and beverage customers and physicians and healthcare providers related to the attack, while offering a free one-year membership in monitoring services to those impacted. However, a class-action lawsuit led by an Arizona physician that was filed in August 2016 on behalf of nearly 3 million individuals affected by the data breach noted that the credit monitoring offering was inadequate.
Plaintiffs in the lawsuit “alleged that the attack was financially motivated, and hackers gained access to systems containing patient information and exfiltrated the protected health information of approximately 2.9 million,” according to a report in HIPAA Journal, which added, “The lawsuit alleges Banner Health failed to implement appropriate safeguards to protect against cyberattacks, such as multi-factor authentication, firewalls, and data encryption.”
The plaintiffs further argued that the cyberattack on Banner Health placed them at “a significantly increased risk of suffering devastating and expensive financial and medical identity theft.” Some plaintiffs claimed to have suffered identity theft and fraud as a direct result of the data breach, according to the HIPAA Journal report.
As such, under the preliminary settlement approved on Dec. 5 in the U.S. District Court of Arizona, the health system has agreed to pay up to $6 million to class members for reimbursement of expenses related to the breach.
As part of the settlement of the litigation, which consolidated 11 class action lawsuits, Banner Health will also pay for two additional years of credit monitoring for settlement class members in addition to the one year of credit monitoring it originally offered, per a report in BankInfoSecurity.com.
That additional credit monitoring coverage includes up to $1 million reimbursement insurance from AIG covering losses due to identity theft and stolen funds, while Banner Health has also agreed to pay $2.9 million for legal costs incurred by plaintiffs' attorneys in the case, BankInfoSecurity.com reported.
The report quoted a Phoenix-based lawyer, who is a lead attorney for plaintiffs in the lawsuit, who said that the total value of the settlement is in "the tens of millions dollars."
