The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced a settlement with Banner Health Affiliated Covered Entities, a nonprofit health system headquartered in Phoenix, Arizona, to resolve a data breach resulting from a hacking incident by a threat actor in 2016 which disclosed the protected health information of 2.81 million consumers. 

The settlement is regarding the Health Insurance Portability and Accountability Act (HIPAA) Security Rule which works to help protect health information and data from cybersecurity attacks. 

The potential violations specifically include: the lack of an analysis to determine risks and vulnerabilities to electronic protected health information across the organization, insufficient monitoring of its health information systems’ activity to protect against a cyberattack, failure to implement an authentication process to safeguard its electronic protected health information, and failure to have security measures in place to protect electronic protected health information from unauthorized access when it was being transmitted electronically. 

As a result, Banner Health paid $1,250,000 to OCR and agreed to implement a corrective action plan, which identifies steps Banner Health will take to resolve these potential violations of the HIPAA Security Rule and protect the security of electronic patient health information. 

“Hackers continue to threaten the privacy and security of patient information held by health care organizations, including our nation’s hospitals,” says OCR Director Melanie Fontes Rainer. “It is imperative that hospitals and other covered entities and business associates be vigilant in taking robust steps to protect their systems, data, and records, and this begins with understanding their risks, and taking action to prevent, respond to and combat such cyber-attacks. The Office for Civil Rights provides help and support to health care organizations to protect against cyber security threats and comply with their obligations under the HIPAA Security Rule. Cyber security is on all of us, and we must take steps to protect our health care systems from these attacks.”

In November 2016, OCR initiated an investigation of Banner Health following the receipt of a breach report stating that a threat actor had gained unauthorized access to electronic protected health information, potentially affecting millions.  The hacker accessed protected health information that included patient names, physician names, dates of birth, addresses, Social Security numbers, clinical details, dates of service, claims information, lab results, medications, diagnoses and conditions, and health insurance information.

Banner Health is one of the largest non-profit health systems in the country, with over 50,000 employees and operating in six states. Banner Health is the largest employer in Arizona, and one of the largest in northern Colorado. OCR’s investigation found evidence of long term, pervasive noncompliance with the HIPAA Security Rule across Banner Health’s organization, a serious concern given the size of this covered entity.

Organizations must be proactive in their efforts to regularly monitor system activity for hacking incidents and have measures in place to sufficiently safeguard patient information from risk across their entire network.

In addition to the monetary settlement, Banner Health will undertake steps under a comprehensive corrective action plan that will be monitored for two years by OCR to ensure compliance with the HIPAA Security Rule. Banner has agreed to take the following steps:

  • Conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic patient/system data across the organization
  • Develop and implement a risk management plan to address identified risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI
  • Develop, implement, and distribute policies and procedures for a risk analysis and risk management plan, the regular review of activity within their information systems, an authentication process to provide safeguards to data and records, and security measures to protect electronic protected health information from unauthorized access when it is being transmitted electronically, and
  • Report to HHS within 3- days when workforce members fail to comply with the HIPAA Security Rule.

The resolution agreement and corrective action plan can be found here