Arizona judge pares down class-action suit against Banner Health over 2016 data breach

Legal Review
Portions of the class-action lawsuit will move forward after a judge dismissed several data breach claims. (iStock-BrianAJackson)

A district court judge in Arizona has tossed several claims against Banner Health brought by patients affected by a 2016 data breach.

But the judge allowed portions of the case to move forward, ruling that the plaintiffs had sufficiently demonstrated that the breach presents an impending injury.

The class-action lawsuit was filed in August 2016 on behalf of the 3.7 million individuals affected by a data breach in which hackers gained access to Banner’s network through its payment processing system at food and beverage outlets. The intruders ultimately gained access to servers containing patient and health plan data.

Digital Transformation

Unlock the Digital Front Door with an App

The Member Mobile App is the smarter and better way to engage members anytime and anywhere. Members can find the right doctors, receive alerts, track spending, use telehealth, and more — all within a guided, intuitive, and seamless experience. Built exclusively for payers, it is ready to install and launch in a few months. Request a consult on how to enable the digital front door with the Mobile App, today.

RELATED: Anthem agrees to $115M settlement over 2015 data breach

The plaintiffs, including a former ophthalmologist at Banner Thunderbird Hospital in Glendale, Arizona, alleged the health system failed “to take adequate precautions” like multi-factor authentication, firewalls and encryption. Although some of the plaintiffs said their information had already been misused to open up fraudulent accounts or credit cards, others argued that the increased risk of identity theft was enough to claim harm from the data breach.

The judge dismissed breach of contract, good faith and implied duty of care claims, ruling that portions of the employee handbook that addressed patient confidentiality and privacy are a duty owed to Banner Health by its employees, not vice versa.

But the judge allowed the class-action suit to move forward with its claims of unjust enrichment, negligence and violation of the Arizona Consumer Fraud Act.

RELATED: CareFirst petitions the Supreme Court to hear its data breach case, highlighting questions over harm

“There is at least a plausible inference that the identity theft alleged by two of the Plaintiffs would not have happened but-for Defendant’s inadequate data security,” Judge Susan R. Bolton wrote, citing a similar ruling in Anthem’s data breach litigation. “Furthermore, there is a plausible inference that the rest of Plaintiffs are now at an increased risk of identity theft which they are incurring costs to prevent.”

The case adds to a growing number of legal decisions about whether the identity theft risks associated with a data breach constitutes harm, even if an individual's information has not been used inappropriately. That’s a question CareFirst has petitioned to the Supreme Court citing “growing uncertainty” among circuit courts regarding the level of harm associated with a data breach.


Suggested Articles

One-third of primary care physicians say revenue and pay are still significantly lower and net losses threaten current and future viability.

The potential long-term impacts of COVID-19 on how Medicare Advantage's star ratings are calculated remain unclear, experts say.

A large bipartisan majority of House and Senate lawmakers is asking HHS to clamp down on drug makers' efforts to restrict sales of 340B drugs.