HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

$8.9 Million Banner Health Data Breach Settlement Gets Final Approval

A settlement proposed by Banner Health to resolve a class action lawsuit filed on behalf of victims of its 3.7 million-record data breach in 2016 has received final approval from a Federal judge.

The $8.9 million settlement was proposed in December 2019 to cover claims from victims of the breach and legal fees. Banner Health has also agreed to invest money to improve its cybersecurity defenses to prevent data breaches in the future.

The Arizona-based health system was attacked by hackers via the payment processing system used in the food and beverage outlets in its hospitals. The system was connected to servers used to store the protected health information of patients. The hackers were able to access and steal a large quantity of highly sensitive patient data, including demographic information, Social Security numbers, health insurance information, and claims data from current and former Banner Health patients. The food and beverage system contained the credit and debit card numbers of around 30,000 customers. The data breach was the largest to be reported by a healthcare organization in 2016 is still one of the top 10 healthcare data breaches of all time.

The class action lawsuit claimed “financially-motivated cyber-criminals entered Banner’s network, rummaged through Banner’s information systems, downloaded and installed hacking software, and copied and exfiltrated massive quantities of personally identifiable information.”

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The lawsuit alleged “Since at least 2012, Banner’s information security measures have been objectively unreasonable and deficient—particularly in light of healthcare, insurance, and payment card industry standards, applicable legal requirements, and the known and growing threat to healthcare and insurance companies from cybercriminals.”

Under the terms of the settlement, a fund of $6 million has been set up to cover monetary and injunctive relief for all individual affected by the breach and $2.9 million will be paid in attorneys’ fees. Victims of the breach can claim up to $500 in ordinary expenses, including up to 3 hours of undocumented time in connection with the data breach and additional documented expenses. Up to $10,000 in extraordinary expenses can be claimed, including up to 15 hours of documented lost time dealing with identity theft and fraud and other monetary losses. Banner Health will also cover the cost of two years of credit monitoring services on top of those already provided and a $1 million identity theft insurance policy.

“We are pleased to resolve this matter and will continue to work diligently in the best interests of our patients, employees and physicians,” said Becky Armendariz, senior director of marketing and public relations at Banner Health.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.