OCR investigating Banner Health's 2016 data breach

Already fending off a class-action lawsuit, Banner Health is also the subject of an ongoing federal investigation into a June 2016 cyberattack that exposed patient data. 

The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) launched an investigation in the aftermath of the attack that exposed data for 3.7 million patients at 27 locations, according to year-end financials (PDF) released by the Phoenix, Arizona-based health system. Banner says it is cooperating with the investigation, but OCR has said the health system's initial responses to questions about past security assessment activities are “inadequate.”

Hackers initially attacked Banner’s network through its payment processing system at food and beverage outlets, then ultimately gained access to servers that contained patient data.

RELATED: Arizona judge pares down class-action suit against Banner Health over 2016 data breach

“Although Banner has supplemented its initial responses, Banner anticipates that it may receive negative findings with respect to its information technology security program, and that a fine may be assessed against Banner,” the report states. “At this point, it is not possible to estimate the range of potential fines by the OCR.”

In OCR's most recent settlement, dialysis provider Fresenius Medical Group of North Carolina paid $3.5 million to settle an investigation into five separate breaches that impacted just 521 records. 

In December, an Arizona judge tossed portions of a class-action lawsuit against Banner brought by patients affected by the breach. But the judge ruled the plaintiffs sufficiently demonstrated that the breach presents and impending injury.

The class-action claim is one of several against healthcare providers and payers in recent years. Last year, Anthem agreed to pay $115 million to settle case following its massive 2015 data breach, and last month the Supreme Court denied an appeal from CareFirst to review a lawsuit stemming from a 2014 breach.