Banner bracing for fallout of ’16 breach
Hack exposed 3.7M people’s records; feds investigate
Banner Health anticipates “negative findings” from an ongoing federal probe of a 2016 cyberattack that exposed the records of nearly 3.7 million patients, employees and others.
The Phoenix-based health provider disclosed in its 2017 annual report that an investigation by the U.S. Department of Health and Human Services’ Office of Civil Rights has included queries about the health provider’s security assessments.
“The OCR investigation is still active, and the OCR has indicated that the initial Banner responses with respect to its past security assessment activities are inadequate,” Banner said in its recently released 2017 financial report.
Banner, Arizona’s largest health provider and among the nation’s largest non-profit health systems, said it provided more answers to federal investigators but “anticipates that it may receive negative findings with respect
to its information technology security program” that could include a fine.
Banner was the target of a massive June 2016 attack when hackers gained access to the health provider’s food and beverage payment systems and quickly moved to other servers that contained individuals’ medical and personal information.
In all, the attack compromised records of nearly 3.7 million patients, employees, health-insurance customers and others. It’s the largest such attack involving a health-related entity over the past two years, according to OCR records.
Banner, which also faces a class-action lawsuit over the data breach, said it could not estimate possible fines from the federal agency.
In February, the OCR fined dialysis provider Fresenius Medical Care $3.5 million for 2012 data breaches at five locations, including Fresenius Medical Care Ak-Chin in Maricopa. The Maricopa location failed to “implement policies and procedures to address security incidents,” the OCR said in a statement. In a statement provided to The Arizona Republic, Banner Health said it is fully cooperating with the OCR investigation and has made changes to information-technology security issues identified following the data breach.
Banner Health said the changes included upgrades to comply with industry data-security standards on payment cards, monitor cyberthreats and risks, and implement secure practices.
Other changes involved areas of program governance, identity and access management, and network and infrastructure security, Banner Health said.
Banner also has offered ongoing credit monitoring for individuals affected by the data breach.
Banner faces lawsuit over breach
Banner’s larger financial exposure could come from a prospective class-action lawsuit making its way through U.S. District Court in Phoenix.
U.S. District Judge Susan Bolton rejected parts of the lawsuit in a December ruling but found enough merit to allow claims of unjust enrichment, negligence and violations of the Arizona Consumer Fraud Act to move forward.
The plaintiffs — including a ophthalmologist at two of Banner’s West Valley hospitals, a Banner employee and four Arizona and Colorado patients — updated their lawsuit in January to include additional claims against the health provider.
The lawsuit alleges that Banner Health could have prevented the data breach but “failed to take a number of fundamental, industry-standard steps to ensure adequate information security — and apparently did so to enhance its own bottom line profitability.”
Prior to the attack, the lawsuit alleges that Banner did not follow industry precautions such as safeguarding key systems behind firewalls, encrypting sensitive data, monitoring compliance and segregating networks to prevent hackers from moving freely within Banner’s computer systems.
“From the very outset, we were surprised those types of systems were not segregated and walled off,” said Paul Stoller, a Gallagher & Kennedy attorney representing the plaintiffs.
Banner attorneys filed a motion to dismiss the plaintiffs’ updated claims.
The lawsuit alleges that hackers gained access to names, birth dates, addresses, Social Security numbers, provider information and medical histories with the goal of making money. A Banner forensic examiner identified the culprit as a criminal organization, likely with the goal of making money off of the information.
The lawsuit alleges that some individuals whose information was pilfered already have been victims of fraud attempts, though the lawsuit did not provide details.
In addition to federal oversight, Arizona is considering bolstering oversight of data breaches under a bill backed by Arizona Attorney General Mark Brnovich.
House Bill 2154, which is advancing in the Arizona Legislature, would require earlier announcements when hacking occurs. The bill still requires final votes in the House and Senate.
In a statement, Banner Health said it is fully cooperating with the OCR investigation and has made changes to information-technology security issues identified following the data breach.