Banner Health Anticipates Potential Financial Penalty from OCR over 2016 Cyberattack

According to a financial report issued by Banner Health, OCR is investigating the colossal 2016 Banner Health data breach which saw the protected health information of 3.7 million patients exposed. The breach involved Banner Health facilities at 27 locations in Alaska, Arizona, California, Colorado, Nebraska, Nevada, and Wyoming and resulted in the exposure of highly sensitive protected health information including names, dates of birth, Social Security numbers, and health insurance information.

The attackers gained access to the payment processing system used in its food and beverage outlets with a view to obtaining credit card numbers. However, once access to the network was gained, they also accessed servers containing PHI.

Banner Health reports that it has cooperated with OCR’s investigation into the breach and has supplied information as requested. However, OCR was not satisfied with its response and the evidence supplied on its HIPAA compliance efforts. Specifically, OCR was not satisfied with the documentation supplied to demonstrate “past security assessment activities” with its responses rated as “inadequate”.

Banner Health has respond and provided additional evidence of its security efforts but “negative findings” are anticipated. Banner Health suspects a financial penalty may be pursued by OCR, although it is not known how much the penalty is likely to be.

The Department of Health and Human Services’ Office for Civil Rights investigates all data breaches over 500 records. OCR can issue fines of up to $1.5 million per violation category, per year. HIPAA violations that have been allowed to persist over several years, and cases where there have been multiple violations of HIPAA Rules, can see multi-million-dollar financial penalties pursued. Fines have been issued of $25,000, although there have also been settlements in excess of $4 million dollars.

Based on previous HIPAA settlements, a breach of this magnitude is likely to see a fine toward the upper end of the spectrum.

In addition to a potential fine from OCR for non-compliance with HIPAA Rules, nine lawsuits were filed by plaintiffs affected by the 2016 data breach which have since been consolidated into a single class action lawsuit.

While many data breach lawsuits have been dismissed for lack of standing, this lawsuit appears to be going the distance. The plaintiffs have already demonstrated impending injury as a result of the exposure and theft of their health information.

Banner Health holds an insurance policy against cyberattacks although the extent of insurance coverage is not known. Banner Health is vigorously defending the lawsuit, but should its efforts fail, the health system believes a substantial proportion of the legal costs and any settlement will be covered by its cyber risk insurance policy.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.