Banner Health Pays $1.25 Million for 2016 Data Breach, HIPAA Violations

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced on February 2 it has settled with Banner Health to resolve potential Health Insurance Portability and Accountability Act (HIPAA) violations that happened during a massive 2016 data breach caused by a hacker. Banner Health, which is one of the nation’s largest non-profit health systems, has agreed to pay OCR $1.25 million.

The breach disclosed the protected health information of 2.81 million consumers, according to HHS’ press release. The hacker accessed patient names, physician names, dates of birth, addresses, Social Security numbers, clinical details, dates of service, claims information, lab results, medications, diagnoses and conditions, and health insurance information.

OCR’s investigation found evidence of long term, pervasive noncompliance with the HIPAA Security Rule across Banner Health’s organization, “a serious concern given the size of this covered entity,” the HHS press release said. “Organizations must be proactive in their efforts to regularly monitor system activity for hacking incidents and have measures in place to sufficiently safeguard patient information from risk across their entire network.”

The potential violations specifically include:

• The lack of an analysis to determine risks and vulnerabilities to electronic protected health information across the organization
• Insufficient monitoring of its health information systems’ activity to protect against a cyber-attack
• Failure to implement an authentication process to safeguard its electronic protected health information
• Failure to have security measures in place to protect electronic protected health information from unauthorized access when it was being transmitted electronically.

In addition to the monetary settlement, Banner Health will undertake steps under a comprehensive corrective action plan that will be monitored for two years by OCR to ensure compliance with the HIPAA Security Rule. Banner has agreed to take the following steps:

• Conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic patient/system data across the organization
• Develop and implement a risk management plan to address identified risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI
• Develop, implement, and distribute policies and procedures for a risk analysis and risk management plan, the regular review of activity within their information systems, an authentication process to provide safeguards to data and records, and security measures to protect electronic protected health information from unauthorized access when it is being transmitted electronically, and
• Report to HHS within thirty (30) days when workforce members fail to comply with the HIPAA Security Rule.

Read the resolution agreement.

If you appreciated this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!

Related Content

London Hospital Investigating Staff Members for Trying to Access Kate Middleton’s Medical Records

Tennessee Man, 5 Hospital Employees Sentenced for Conspiracy to Sell Patient Information

New York AG: Health Center Must Pay $450K HIPAA Fine, Invest $1.2 Million in Cybersecurity Improvements

Cybersecurity Incident Forces Missouri Hospital to Divert Patients