The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has announced a settlement with Phoenix-based Banner Health Affiliated Covered Entities, a nonprofit health system, to resolve a data breach resulting from a hacking incident in 2016 that disclosed the protected health information of 2.81 million consumers.
In November 2016, OCR initiated an investigation of Banner Health following the receipt of a breach report stating that a threat actor had gained unauthorized access to electronic protected health information, potentially affecting millions. The hacker accessed protected health information that included patient names, physician names, dates of birth, addresses, Social Security numbers, clinical details, dates of service, claims information, lab results, medications, diagnoses and conditions, and health insurance information.
Banner Health is one of the largest nonprofit health systems in the country, with more than 50,000 employees and operating in six states. Banner Health is the largest employer in Arizona, and one of the largest in northern Colorado. OCR’s investigation found evidence of long-term, pervasive noncompliance with the HIPAA Security Rule across Banner Health’s organization, which it said is a serious concern given its size.
The potential violations specifically include:
• The lack of an analysis to determine risks and vulnerabilities to electronic protected health information across the organization;
• Insufficient monitoring of its health information systems’ activity to protect against a cyber-attack;
• Failure to implement an authentication process to safeguard its electronic protected health information, and
• Failure to have security measures in place to protect electronic protected health information from unauthorized access when it was being transmitted electronically.
As a result, Banner Health paid $1.25 million to OCR and agreed to implement a corrective action plan, which identifies steps Banner Health will take to resolve these potential violations of the HIPAA Security Rule and protect the security of electronic patient health information.
“Hackers continue to threaten the privacy and security of patient information held by health care organizations, including our nation’s hospitals,” said OCR Director Melanie Fontes Rainer, in a statement. “It is imperative that hospitals and other covered entities and business associates be vigilant in taking robust steps to protect their systems, data, and records, and this begins with understanding their risks, and taking action to prevent, respond to and combat such cyber-attacks. The Office for Civil Rights provides help and support to health care organizations to protect against cyber security threats and comply with their obligations under the HIPAA Security Rule. Cyber security is on all of us, and we must take steps to protect our health care systems from these attacks.”
In addition to the monetary settlement, Banner Health will undertake steps under a comprehensive corrective action plan that will be monitored for two years by OCR to ensure compliance with the HIPAA Security Rule. Banner has agreed to take the following steps:
• Conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic patient/system data across the organization;
• Develop and implement a risk management plan to address identified risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI;
• Develop, implement, and distribute policies and procedures for a risk analysis and risk management plan, the regular review of activity within their information systems, an authentication process to provide safeguards to data and records, and security measures to protect electronic protected health information from unauthorized access when it is being transmitted electronically; and
• Report to HHS within 30 days when workforce members fail to comply with the HIPAA Security Rule.
In 2021, after a separate OCR investigation, Banner Health agreed to take corrective actions and pay $200,000 to settle potential violations of the HIPAA Privacy Rule's right of access standard. OCR received two complaints filed against Banner Health ACE entities alleging violations of the HIPAA Right of Access standard. The first complaint alleged that the individual requested access to her medical records in December 2017, and did not receive the records until May 2018. The second complaint alleged that the individual requested access to an electronic copy of his records in September 2019, and the records were not sent until February 2020. OCR's investigations determined that Banner Health ACE entities' failure to provide timely access to the requested medical records were potential violations of the HIPAA right of access standard.