Arizona judge pares down class-action suit against Banner Health over 2016 data breach

Legal Review
Portions of the class-action lawsuit will move forward after a judge dismissed several data breach claims. (iStock-BrianAJackson)

A district court judge in Arizona has tossed several claims against Banner Health brought by patients affected by a 2016 data breach.

But the judge allowed portions of the case to move forward, ruling that the plaintiffs had sufficiently demonstrated that the breach presents an impending injury.

The class-action lawsuit was filed in August 2016 on behalf of the 3.7 million individuals affected by a data breach in which hackers gained access to Banner’s network through its payment processing system at food and beverage outlets. The intruders ultimately gained access to servers containing patient and health plan data.


13th Partnering with ACOS & IDNS Summit

This two-day summit taking place on June 10–11, 2019, offers a unique opportunity to have invaluable face-to-face time with key executives from various ACOs and IDNs from the entire nation – totaling over 3.5 million patients served in 2018. Exclusively at this summit, attendees are provided with inside information and data from case studies on how to structure an ACO/IDN pitch, allowing them to gain the tools to position their organization as a “strategic partner” to ACOs and IDNs, rather than a merely a “vendor.”

RELATED: Anthem agrees to $115M settlement over 2015 data breach

The plaintiffs, including a former ophthalmologist at Banner Thunderbird Hospital in Glendale, Arizona, alleged the health system failed “to take adequate precautions” like multi-factor authentication, firewalls and encryption. Although some of the plaintiffs said their information had already been misused to open up fraudulent accounts or credit cards, others argued that the increased risk of identity theft was enough to claim harm from the data breach.

The judge dismissed breach of contract, good faith and implied duty of care claims, ruling that portions of the employee handbook that addressed patient confidentiality and privacy are a duty owed to Banner Health by its employees, not vice versa.

But the judge allowed the class-action suit to move forward with its claims of unjust enrichment, negligence and violation of the Arizona Consumer Fraud Act.

RELATED: CareFirst petitions the Supreme Court to hear its data breach case, highlighting questions over harm

“There is at least a plausible inference that the identity theft alleged by two of the Plaintiffs would not have happened but-for Defendant’s inadequate data security,” Judge Susan R. Bolton wrote, citing a similar ruling in Anthem’s data breach litigation. “Furthermore, there is a plausible inference that the rest of Plaintiffs are now at an increased risk of identity theft which they are incurring costs to prevent.”

The case adds to a growing number of legal decisions about whether the identity theft risks associated with a data breach constitutes harm, even if an individual's information has not been used inappropriately. That’s a question CareFirst has petitioned to the Supreme Court citing “growing uncertainty” among circuit courts regarding the level of harm associated with a data breach.


Suggested Articles

The Trump administration has released its annual rule governing payments to inpatient providers.

Pharmacy retail giant Walgreens plans to implement a new minimum age requirement of 21 for its customers seeking to purchase tobacco products in its stores.

An artificial intelligence tool can help diagnose post-traumatic stress disorder in veterans by analyzing their voices, a new study found.