Banner Health Pays $1.25 Million for 2016 Data Breach, HIPAA Violations

Banner Health’s 2016 breach disclosed the protected health information of 2.81 million consumers.

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced on February 2 it has settled with Banner Health to resolve potential Health Insurance Portability and Accountability Act (HIPAA) violations that happened during a massive 2016 data breach caused by a hacker. Banner Health, which is one of the nation’s largest non-profit health systems, has agreed to pay OCR $1.25 million.

The breach disclosed the protected health information of 2.81 million consumers, according to HHS’ press release. The hacker accessed patient names, physician names, dates of birth, addresses, Social Security numbers, clinical details, dates of service, claims information, lab results, medications, diagnoses and conditions, and health insurance information.

OCR’s investigation found evidence of long term, pervasive noncompliance with the HIPAA Security Rule across Banner Health’s organization, “a serious concern given the size of this covered entity,” the HHS press release said. “Organizations must be proactive in their efforts to regularly monitor system activity for hacking incidents and have measures in place to sufficiently safeguard patient information from risk across their entire network.”

The potential violations specifically include:

In addition to the monetary settlement, Banner Health will undertake steps under a comprehensive corrective action plan that will be monitored for two years by OCR to ensure compliance with the HIPAA Security Rule. Banner has agreed to take the following steps:

Read the resolution agreement.