OCR investigating Banner Health's 2016 data breach

Security lock on computer data
Banner Health expects negative findings to come out of an OCR investigation into a 2016 cyberattack. (Getty/gintas77)

Already fending off a class-action lawsuit, Banner Health is also the subject of an ongoing federal investigation into a June 2016 cyberattack that exposed patient data. 

The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) launched an investigation in the aftermath of the attack that exposed data for 3.7 million patients at 27 locations, according to year-end financials (PDF) released by the Phoenix, Arizona-based health system. Banner says it is cooperating with the investigation, but OCR has said the health system's initial responses to questions about past security assessment activities are “inadequate.”

Hackers initially attacked Banner’s network through its payment processing system at food and beverage outlets, then ultimately gained access to servers that contained patient data.

Innovation Awards

Submit your nominations for the FierceHealthcare Innovation Awards

The FierceHealthcare Innovation Awards showcases outstanding innovation that is driving improvements and transforming the industry. Our expert panel of judges will determine which companies demonstrate innovative solutions that have the greatest potential to save money, engage patients, or revolutionize the industry. Deadline for submissions is this Friday, October 18th.

RELATED: Arizona judge pares down class-action suit against Banner Health over 2016 data breach

“Although Banner has supplemented its initial responses, Banner anticipates that it may receive negative findings with respect to its information technology security program, and that a fine may be assessed against Banner,” the report states. “At this point, it is not possible to estimate the range of potential fines by the OCR.”

In OCR's most recent settlement, dialysis provider Fresenius Medical Group of North Carolina paid $3.5 million to settle an investigation into five separate breaches that impacted just 521 records. 

In December, an Arizona judge tossed portions of a class-action lawsuit against Banner brought by patients affected by the breach. But the judge ruled the plaintiffs sufficiently demonstrated that the breach presents and impending injury.

The class-action claim is one of several against healthcare providers and payers in recent years. Last year, Anthem agreed to pay $115 million to settle case following its massive 2015 data breach, and last month the Supreme Court denied an appeal from CareFirst to review a lawsuit stemming from a 2014 breach.  

Suggested Articles

Health IT company Cerner announced a definitive agreement to acquire IT consulting and engineering firm AbleVets as a wholly owned subsidiary.

Centene announced another five states have approved its pending $17B merger with WellCare, bringing total number of approvals to 24.

Tech giant Google has tapped former Obama administration healthcare official Karen DeSalvo as its first chief health officer.