HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Banner Health Class-Action Claims 12 Months ID Theft Protection is Insufficient Reparation

Following a healthcare data breach, a class-action lawsuit is almost guaranteed to be filed. However, the newsprint has barely dried, yet a class-action lawsuit has already been filed against Banner Health Network. The suit has not been filed by a patient, but on behalf of a former Banner Health physician whose information was exposed in the 3.7 million-record breach reported last week. The suit was filed three days after the breach was announced.

Law firm Hagens Berman Sobol Shapiro filed the lawsuit on behalf of Dr. Howard Chen: A former Ophthalmologist at Banner Thunderbird Hospital in Glendale, Arizona. Chen used his Banner Health insurance while employed at the hospital between 2010 and 2013 and is concerned that his information was obtained by the hackers.

The lawsuit is not being filed to recover damages related to identity theft, but in order to obtain compensation to cover the cost of paying for credit monitoring and identity theft protection services.

Banner Health has offered these services to all affected individuals, but only for a period of 12 months. Dr. Chen’s attorneys say that this is insufficient to protect breach victims from identity theft and fraud.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

Chen’s attorneys say the law requires Banner Health to offer reparation for the serious risk that patients face, yet the current offer of 12 months’ identity theft protection and resolution services is insufficient.  “It’s not enough to offer a skimpy fix”, said Chen’s attorney – Rob Carey – in a recent statement.

The data potentially obtained by the hackers include all the information necessary to commit identity theft. The risk to patients is therefore considerable. Banner Health discovered the cyberattack on July 7, although initially it was thought that the attack only affected customers of food and beverage outlets in Banner Health hospitals.

However, on July 13, 2016 Banner Health discovered that a second attack had occurred that potentially allowed the hackers to gain access to patient data. The information potentially accessed includes names, addresses, birth dates, treating physicians’ names, dates of service, insurance claims information, health insurance details, and Social Security numbers.

Access to Banner Health’s systems has now been blocked, although if patient data were stolen in the attack the data could be used by the attackers or traded on the black market. According to the lawsuit, “Personal and financial information is a valuable commodity.” Patients are therefore exposed to a considerable level of risk and that risk does not decline after 12 months. In fact, the risk of data being used for identity theft increases.

Cybercriminals are well aware that credit protection services are offered to patients following a breach, but that credit monitoring services are usually only provided for a period of 12 months or 24 months at the most. When healthcare data are stolen, criminals often sit on the data for a year or two before using it to commit fraud for this reason.

In order to protect against identity theft and fraud, breach victims will be required to pay for continued identity theft protection services. Chen’s attorneys believe that cost should not be covered by the breach victims.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.