Banner Health Agrees to $6M Settlement to Resolve 2016 Data Breach Lawsuit

Dec. 11, 2019
The class-action lawsuit was filed in 2016 on behalf of nearly 3 million affected individuals

Phoenix-based Banner Health, one of the largest healthcare systems in the U.S., has agreed to pay $6 million to breach victims to resolve a lawsuit stemming from a 2016 cybersecurity incident in which attackers gained unauthorized access to computer systems that process payment card data at food and beverage outlets at certain Banner locations.

That 2016 breach involved cyber attackers targeting payment card data, including cardholder name, card number, expiration date and internal verification code, as the data was being routed through affected payment processing systems.

The investigation at the time initially revealed that the attack did not affect payment card payments used to pay for medical services, but Banner Health later learned that the attackers may have indeed gained unauthorized access to patient information, health plan member and beneficiary information, as well as information about physicians and healthcare providers. How the hack expanded from certain food and beverage outlets to patient information systems has remained somewhat unclear, but ultimately, hackers had access to Banner Health systems for approximately two weeks.

The health system ended up mailing letters to 3.7 million patients, health plan members and beneficiaries, food and beverage customers and physicians and healthcare providers related to the attack, while offering a free one-year membership in monitoring services to those impacted. However, a class-action lawsuit led by an Arizona physician that was filed in August 2016 on behalf of nearly 3 million individuals affected by the data breach noted that the credit monitoring offering was inadequate.

Plaintiffs in the lawsuit “alleged that the attack was financially motivated, and hackers gained access to systems containing patient information and exfiltrated the protected health information of approximately 2.9 million,” according to a report in HIPAA Journal, which added, “The lawsuit alleges Banner Health failed to implement appropriate safeguards to protect against cyberattacks, such as multi-factor authentication, firewalls, and data encryption.”

The plaintiffs further argued that the cyberattack on Banner Health placed them at “a significantly increased risk of suffering devastating and expensive financial and medical identity theft.” Some plaintiffs claimed to have suffered identity theft and fraud as a direct result of the data breach, according to the HIPAA Journal report.

As such, under the preliminary settlement approved on Dec. 5 in the U.S. District Court of Arizona, the health system has agreed to pay up to $6 million to class members for reimbursement of expenses related to the breach.

As part of the settlement of the litigation, which consolidated 11 class action lawsuits, Banner Health will also pay for two additional years of credit monitoring for settlement class members in addition to the one year of credit monitoring it originally offered, per a report in BankInfoSecurity.com.

That additional credit monitoring coverage includes up to $1 million reimbursement insurance from AIG covering losses due to identity theft and stolen funds, while Banner Health has also agreed to pay $2.9 million for legal costs incurred by plaintiffs' attorneys in the case, BankInfoSecurity.com reported.

The report quoted a Phoenix-based lawyer, who is a lead attorney for plaintiffs in the lawsuit, who said that the total value of the settlement is in "the tens of millions dollars."

Sponsored Recommendations

AI-Driven Healthcare: Empowering Nurses, Clinicians, and Care Teams for Smarter, More Efficient Care

Explore how AI-first ThinkAndor® is transforming nursing workflows and patient care at Sentara, improving outcomes, reducing readmissions, and enhancing care transitions in this...

The Future of Storage: The Complexities and Implications in Healthcare

Join us on January 23rd to explore the future of data storage in healthcare and learn how strategic IT decisions today can shape agility and competitiveness for tomorrow.

IT Healthcare Report: Technology Insights for a Transformative Future

Explore the latest healthcare IT trends, challenges, and opportunities in AI, patient care, and security. Gain actionable insights to navigate the industry's transformation.

How to Build Trust in AI: The Data Leaders’ Playbook

This eBook strives to provide data leaders like you with a comprehensive understanding of the urgent need to deliver high-quality data to your business. It also reviews key strategies...