Banner settles data case
Banner Health has agreed to pay $6 million to settle a lawsuit over a 2016 computer data breach.
Phoenix-based Banner Health has agreed to settle a class action lawsuit over a 2016 computer data breach that may have compromised health and personal data of nearly 3 million patients, employees and others, court documents show.
The class action lawsuit came out of 11 individual lawsuits filed in 2017.
The proposed settlement, which must still be approved by the court, includes Banner paying as much as $6 million to victims. The proposal also includes insurance coverage for claims of financial losses stemming from the data breach.
“All things considered, this settlement compares very favorably with those that have been approved in other data breach cases,” said Andrew Friedman, one of the lawyers representing the plaintiffs.
“The credit monitoring is more robust and state-of-the-art, and I think we’ve covered all of the folks who may have suffered losses,” he said.
The proposed settlement shows Banner has agreed to provide two years of free credit monitoring through Identity Guard Total for the estimated 2.9 million people affected by the breach, which occurred in June and July 2016.
All of those people will receive free insurance coverage of up to $1 million to cover losses stemming from identity theft and stolen funds that were a result of the data breach.
The settlement terms say those affected would be able to file claims for up to $500 for “ordinary expenses” connected to the breach, or up to $10,000 for “extraordinary expense reimbursement” — expenses like lost time at work or professional help with identity theft issues. The total limit for those expense payments from Banner Health is $6 million.
Banner also agreed to improve its information security systems.
The court this month granted preliminary approval of the settlement. Final court approval is set for April 21.
“This is still a pending legal matter, so we are unable to discuss details. However, we are hopeful that it will be resolved soon, at which time those who were impacted can learn additional information,” Banner Health spokeswoman Becky Armendariz said in an emailed statement.
“In the meantime, data security is one of our highest priorities and we continue to work diligently to protect the sensitive information of our patients and employees.”
The cyber attack at Banner was the largest health care data breach of 2016, according to HIPAA Journal.
Banner Health announced on Aug. 3, 2016 that it had sent letters to 3.7 million people, informing them that cyber criminals may have gained unauthorized access to personal information, including names, birth dates, addresses, physician names and possibly health insurance information and Social Security numbers if they were provided to Banner Health.
Among those notified were patients, health plan members and beneficiaries, food and beverage customers, physicians and health care providers.
When the breach occurred, Banner initially gave those affected a year of free credit monitoring.
The credit monitoring that’s part of the settlement includes:
❚ Real-time authentication alerts when someone attempts to make a change to a victim’s personal account information.
❚ Alerts based on searches of payday-loan providers and court records.
❚ Monitoring of top financial institutions for attempted or fraudulent use of victims’ information.
❚ Dark Web monitoring to alert victims whose personal information shows up on the Dark Web.
Friedman, the plaintiffs’ lawyer, said he knows of no egregious losses due to the data breach and that Banner’s voluntary provision of a free year of credit monitoring after the attack may have helped prevent such losses.