HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Banner Health Agrees to Pay $6 Million to Settle Data Breach Lawsuit

In June 2016, Banner Health suffered a data breach in which the protected health information of 2.9 million individuals was allegedly stolen by hackers. In August 2016, a class action lawsuit was filed by victims of the breach. A settlement has now been reached and Banner Health has agreed to pay $6 million to breach victims to resolve the lawsuit, according to documents filed in the U.S. District Court of Arizona on December 5, 2019.

Plaintiffs alleged that the attack was financially motivated, and hackers gained access to systems containing patient information and exfiltrated the protected health information of approximately 2.9 million. The types of information stolen by the hackers included names, addresses, dates of birth, Social Security numbers, prescription information, medical histories and, for around 30,000 individuals, credit and debit card numbers. Individuals whose credit and debit card numbers were stolen had visited food and beverage outlets at Banner Health hospitals. Malware had been installed which exfiltrated card numbers when purchases were made. The hackers had access to Banner Health systems for approximately 2 weeks.

The lawsuit alleges Banner Health failed to implement appropriate safeguards to protect against cyberattacks, such as multi-factor authentication, firewalls, and data encryption.

The plaintiffs argued that the cyberattack on Banner Health placed them at “a significantly increased risk of suffering devastating and expensive financial and medical identity theft.” Some plaintiffs claimed to have suffered identity theft and fraud as a direct result of the data breach.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Under the terms of the settlement, plaintiffs will be able to submit reimbursement claims for expenses incurred as a result of the data breach. Claims will be accepted up to a maximum of $500 per person for standard expenses, and up to $10,000 for extraordinary expenses. Banner Health has placed an overall cap of $6 million on expenses claims.

Additionally, individuals affected by the breach have been offered an additional 2 years of credit monitoring and identity theft protection services. The plaintiffs have filed a motion for preliminary approval of the settlement.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.