$8.9 Million Banner Health Data Breach Settlement Gets Final Approval
A settlement proposed by Banner Health to resolve a class action lawsuit filed on behalf of victims of its 3.7 million-record data breach in 2016 has received final approval from a Federal judge. The $8.9 million settlement was proposed in December 2019 to cover claims from victims of the breach and legal fees. Banner Health has also agreed to invest money to improve its cybersecurity defenses to prevent data breaches in the future. The Arizona-based health system was attacked by hackers via the payment processing system used in the food and beverage outlets in its hospitals. The system was connected to servers used to store the HIPAA protected health information of patients. The hackers were able to access and steal a large quantity of highly sensitive patient data, including demographic information, Social Security numbers, health insurance information, and claims data from current and former Banner Health patients. The food and beverage system contained the credit and debit card numbers of around 30,000 customers. The data breach was the largest to be reported by a healthcare...
March 2020 Healthcare Data Breach Report
March 2020 saw a 7.69% month-over-month decrease in the number of reported healthcare data breaches and a 45.88% reduction in the number of breached records. In March, 36 healthcare data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights (OCR), which is more than 16% fewer than the average number of monthly breaches over the past 12 months. 828,921 healthcare records were breached in March, which is 194% higher than the monthly average number of breached records. Largest Healthcare Data Breaches in March 2020 The largest healthcare data breach of the month was reported by the genetic testing company, Ambry Genetics Corporation. An unauthorized individual gained access to an employee’s email account that contained the data of 232,772 patients. A major phishing attack was reported by the medical device manufacturer Tandem Diabetes Care. Several employees’ email accounts were compromised and the protected health information of 140,781 patients was exposed. The third largest data breach of the month was reported by Brandywine Urology Consultants, which...
Senators Call for CISA and U.S. Cyber Command to Issue Healthcare-specific Cybersecurity Guidance
A bipartisan group of Senators has written to the Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security and U.S. Cyber Command requesting healthcare-specific cybersecurity guidance on how to deal with coronavirus and COVID-19-related threats. Richard Blumenthal, (D-CT), Mark Warner (D-VA), Tom Cotton (R-AR), David Perdue (R-GA), and Edward J. Markey (D-MA) penned the letter in response to the escalating cyber espionage and cybercriminal activity targeting the healthcare, public health, and research sectors during the COVID-19 pandemic. The letter cites a report from cybersecurity firm FireEye which identified a major campaign being conducted by the Chinese hacking group, APT41, targeting the healthcare sector. The hacking group is exploiting vulnerabilities in networking equipment, cloud software and IT management tools to gain access to healthcare networks – The same systems that are now being used by telecommuting workers for providing telehealth during the pandemic. Several other threat groups with links to China have also stepped up...
HHS Delays Enforcement of New Interoperability and Information Sharing Rules
The HHS will be exercising enforcement discretion in relation to compliance with the new interoperability and information sharing rules that were finalized and issued by the HHS’ Centers for Medicare and Medicaid Services (CMS) and the HHS’ Office of the National Coordinator for Health IT (ONC) on March 9, 2020. The decision to delay enforcement is due to the COVID-19 pandemic. The CMS, ONC, and HHS’ Office of Inspector General (OIG) believe that during a pandemic of the magnitude of COVID-19, healthcare organizations need to be given some flexibility complying with the new interoperability and information sharing rules. The dates for compliance with the new rules remain unchanged, although both agencies will be exercising enforcement discretion to allow healthcare organizations to continue to focus their efforts on addressing the COVID-19 pandemic. “ONC remains committed to ensuring that patients and providers can access electronic health information, when and where it matters most. During this critical time, we understand that resources need to be focused on fighting the COVID-19...
HHS’ Office of Inspector General Proposes Rule for Civil Monetary Penalties for Information Blocking
On Tuesday, the HHS’ Office of inspector General (OIG) proposed a rule that amends civil monetary penalty rules to also cover information blocking. “When implemented, the new CMPs for information blocking will be an important tool to ensure program integrity and the promised benefits of technology and data,” said Christi A. Grimm, OIG Principal Deputy Inspector General. OIG understands that during the COVID-19 public health emergency, healthcare organizations are focused on providing treatment and follow-up care to patients. OIG is fulfilling its obligations by publishing the new rule but is also trying to be as flexible as possible to minimize the burden on healthcare organizations on the front line dealing with the COVID-19 pandemic. OIG is seeking comment from healthcare organizations and industry stakeholders on when information blocking enforcement should begin. OIG explained that all entities and individuals required to comply with the new information blocking regulations will be given time to achieve compliance before enforcement begins. OIG has proposed the...



