Banner Health is a non-profit healthcare organization based in Phoenix, Arizona. It operates a total of 34 hospitals and specialized facilities across six states. Banner employs over 50,000 employees. Recently, Banner agreed to settle a data breach lawsuit for $6 million.
What Are the Details of the Data Breach Lawsuit?
In August of 2016, a class-action data breach lawsuit was filed against covered entity Banner Health in federal court in Arizona. Plaintiffs alleged that cybercriminals infiltrated Banner’s network, installed hacking software, and copied and extracted the protected health information (PHI) of approximately 2.9 million people. Plaintiffs asserted that Banner acted negligently and committed a breach of contract. Plaintiffs also alleged that Banner violated the Arizona Consumer Fraud Act by omitting and concealing material facts, which it knew about and had the duty to disclose—namely, Banner’s inadequate privacy and security protections for Plaintiffs’ PHI.
Plaintiffs alleged that the following information was copied:
- Names
- Addresses
- Social Security numbers
- Dates of birth
- Patient medical histories
- Patient pharmaceutical histories
- Sensitive information of Banner healthcare providers
- Credit card number and debit card numbers for approximately 30,000 food and beverage customers
How Did the Data Breach Occur?
The method through which Plaintiffs allege the attack was carried out is worthy of note: Banner, by failing to segregate its systems, left its PCI server connected through its enterprise network to Plaintiffs’ PHI. Because of the lack of segmentation, the backers moved laterally through the enterprise network, and accessed and copied PHI. The hackers were able to do this rapidly, as a result of Banner’s having failed to implement (among other things) network segmentation and access controls. Within a week of the hackers’ first accessing the Banner network, the hackers accessed and copied large amounts of PHI. The hackers then transmitted this data to a location outside of Banner’s network, securely deleting many of the files they had created to cover their tracks.
In their lawsuit, Plaintiffs alleged Banner Health failed to implement appropriate safeguards to protect against cyberattacks, including failure to adopt multi-factor authentication; failure to implement firewalls; and failure to encrypt data. A number of Plaintiffs also claimed to have suffered identity theft and fraud as a direct result of the breach.
What are the Terms of the Settlement?
Per the terms of the settlement, which awaits final approval by the court, Plaintiffs can submit reimbursement claims for expenses stemming from the data breach. Banner will accept claims for up to $500 per person, and for up to $10,000 for “extraordinary” expenses. Banner has placed an overall cap of $6 million on the expenses claims.