Banner Health pays $1.25M over 'pervasive' HIPAA noncompliance following 2016 hack

Banner Health has agreed to pay $1.25 million and implement a corrective action plan to make good on a hacking incident that exposed the protected health information of nearly 3 million people.

The deal stems from an investigation by The Department of Health and Human Services’ Office for Civil Rights (OCR) into a 2016 cyberattack, in which information ranging from names and Social Security numbers to medications and insurance claims were accessed, according an OCR announcement about the settlement.

OCR launched an investigation after receiving a breach report from Banner, during which the office said it “found evidence of long-term, pervasive noncompliance with the HIPAA Security Rule” across the Phoenix-based nonprofit system.

Potential violations being addressed in the settlement, per OCR, include:

  • Lack of an analysis to determine risks and vulnerabilities to electronic protected health information across the organization
  • Insufficient monitoring of health information systems’ activity to protect against a cyberattack
  • Failure to implement an authentication process to safeguard its electronic protected health information
  • Failure to have security measures in place to protect electronic protected health information from unauthorized access when it was being transmitted electronically

“Hackers continue to threaten the privacy and security of patient information held by health care organizations, including our nation’s hospitals,” OCR Director Melanie Fontes Rainer said in the announcement. “It is imperative that hospitals and other covered entities and business associates be vigilant in taking robust steps to protect their systems, data and records, and this begins with understanding their risks, and taking action to prevent, respond to and combat such cyber attacks."

Banner’s corrective action plan will be monitored by OCR for two years in order to ensure HIPAA compliance. It will require that Banner conduct a thorough risk analysis, develop and implement a risk management plan and report any HIPAA compliance failures within 30 days, among other measures.

Banner Health is among the country’s largest nonprofit systems. It operates 30 hospitals across six states and employs more than 50,000 people.

Cybersecurity threats have ramped up in recent years, and healthcare organizations are a prime target. OCR’s release described hacking as “the greatest threat to the privacy and security of protected health information” in the healthcare sector. A recent study found that healthcare ransomware attacks doubled from 2016 to 2021 while personal health information exposure increased more than elevenfold.

Breaches can also open health systems up to litigation. Just a few weeks ago, Scripps Health came to terms with 1.2 million victims of a 2021 hack to the tune of $3.57 million. CommonSpirit Health, which disclosed an attack in the fall that compromised over 600,000 patients’ protected health information, was also recently hit with lawsuits from disgruntled patients.