OCR investigating Banner Health's 2016 data breach

Security lock on computer data
Banner Health expects negative findings to come out of an OCR investigation into a 2016 cyberattack. (Getty/gintas77)

Already fending off a class-action lawsuit, Banner Health is also the subject of an ongoing federal investigation into a June 2016 cyberattack that exposed patient data. 

The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) launched an investigation in the aftermath of the attack that exposed data for 3.7 million patients at 27 locations, according to year-end financials (PDF) released by the Phoenix, Arizona-based health system. Banner says it is cooperating with the investigation, but OCR has said the health system's initial responses to questions about past security assessment activities are “inadequate.”

Hackers initially attacked Banner’s network through its payment processing system at food and beverage outlets, then ultimately gained access to servers that contained patient data.


13th Partnering with ACOS & IDNS Summit

This two-day summit taking place on June 10–11, 2019, offers a unique opportunity to have invaluable face-to-face time with key executives from various ACOs and IDNs from the entire nation – totaling over 3.5 million patients served in 2018. Exclusively at this summit, attendees are provided with inside information and data from case studies on how to structure an ACO/IDN pitch, allowing them to gain the tools to position their organization as a “strategic partner” to ACOs and IDNs, rather than a merely a “vendor.”

RELATED: Arizona judge pares down class-action suit against Banner Health over 2016 data breach

“Although Banner has supplemented its initial responses, Banner anticipates that it may receive negative findings with respect to its information technology security program, and that a fine may be assessed against Banner,” the report states. “At this point, it is not possible to estimate the range of potential fines by the OCR.”

In OCR's most recent settlement, dialysis provider Fresenius Medical Group of North Carolina paid $3.5 million to settle an investigation into five separate breaches that impacted just 521 records. 

In December, an Arizona judge tossed portions of a class-action lawsuit against Banner brought by patients affected by the breach. But the judge ruled the plaintiffs sufficiently demonstrated that the breach presents and impending injury.

The class-action claim is one of several against healthcare providers and payers in recent years. Last year, Anthem agreed to pay $115 million to settle case following its massive 2015 data breach, and last month the Supreme Court denied an appeal from CareFirst to review a lawsuit stemming from a 2014 breach.  

Suggested Articles

The Trump administration has released its annual rule governing payments to inpatient providers.

Pharmacy retail giant Walgreens plans to implement a new minimum age requirement of 21 for its customers seeking to purchase tobacco products in its stores.

An artificial intelligence tool can help diagnose post-traumatic stress disorder in veterans by analyzing their voices, a new study found.