Banner Health has agreed to pay up to $6 million to victims of a massive 2016 data breach as part of a proposed settlement, according to court documents filed last week.
The class action lawsuit was filed in August 2016 on behalf of close to 3 million individuals affected by the data breach. Hackers initially attacked Banner’s network through its payment processing system at food and beverage outlets, then ultimately gained access to servers that contained patient data.
According to court documents, plaintiffs in the case allege that "financially-motivated cyber-criminals entered Banner’s network, rummaged through Banner’s information systems, downloaded and installed hacking software, and copied and exfiltrated massive quantities of personally identifiable information belonging to approximately 2.9 million people."
The information the hackers copied included names, addresses, Social Security numbers, birthdates, medical and pharmaceutical histories for patients, sensitive information of Banner healthcare providers as well as credit card numbers and debit card numbers for about 30,000 food and beverage customers, the plaintiffs said.
One plaintiff alleges she had fraudulent bank accounts opened and tax returns filed in her name, and criminals attempted to use another plaintiff's credit accounts.
The security incident was the largest healthcare data breach of 2016 and the ninth-largest healthcare data breach of all time, the plaintiffs state, according to court documents. "The security incident exposed Banner patients, insureds, providers, and payment card users to a significantly increased risk of suffering devastating and expensive financial and medical identity theft," the plaintiffs argued in the lawsuit.
According to court documents filed in the U.S. District Court in Arizona on Dec. 5, the settlement agreement provides "substantial monetary and injunctive relief" to all 2.9 million individuals Banner Health notified in connection with the 2016 data breach.
The plaintiffs in the case filed the motion for preliminary approval of a settlement to end a proposed class action over the breach in federal court in Arizona.
As part of the settlement, nearly 3 million affected by the 2016 data breach would be able to request reimbursement claims for expenses from the incident. Each class member's reimbursement is capped at $500 for ordinary expenses and $10,000 for extraordinary expenses. Banner agreed to an overall cap on reimbursement claims of $6 million.
Banner agreed to provide people affected by the data breach with a two-year subscription to credit monitoring and identity-protection services.
Phoenix-based Banner operates facilities in Alaska, Arizona, California, Colorado, Nebraska, Nevada and Wyoming. At the time of the breach in June 2016, the health system sent letters to millions of patients, health plan members and beneficiaries, dining customers, physicians and other healthcare providers who may have been affected. The attack lasted for two weeks.
The plaintiffs in the lawsuit alleged that the health system failed “to take adequate precautions” like multifactor authentication, firewalls or encryption. Although some of the plaintiffs said their information had already been misused to open up fraudulent accounts or credit cards, others argued that the increased risk of identity theft was enough to claim harm from the data breach.
Banner Health spokeswoman Becky Armendariz declined to discuss details of the case as it is a "pending legal matter."
"However, we are hopeful that it will be resolved soon, at which time those who were impacted can learn additional information. In the meantime, data security is one of our highest priorities and we continue to work diligently to protect the sensitive information of our patients and employees," she said.