Banner Health Pays $1.25M to Resolve HIPAA Security Rule Investigation

HHS settled a HIPAA Security Rule investigation over a 2016 data breach at Banner Health that impacted 2.81 million individuals.

The HHS Office for Civil Rights (OCR) settled with Banner Health following a HIPAA Security Rule investigation stemming from a 2016 data breach. Banner Health agreed to pay $1.25 million to OCR and implement a corrective action plan to resolve the alleged HIPAA violations.

In July 2016, Banner Health, a large nonprofit health system in Arizonaconsisting of more than 30 facilities, discovered that a cybersecurity breach had impacted its food and beverage outlets. The breach allowed threat actors to access a variety of patient and provider information.

OCR launched an investigation into the breach in November 2016 and “found evidence of long term, pervasive noncompliance with the HIPAA Security Rule across Banner Health’s organization,” HHS stated.

This noncompliance was “a serious concern given the size of this covered entity,” HHS noted.

The potential HIPAA violations included insufficient monitoring of Banner Health’s systems to protect against a cyberattack, as well as failure to implement an authentication process to safeguard protected health information (PHI).

OCR also alleged that Banner Health failed to analyze and determine the risks to PHI across the organization and failed to implement appropriate security measures to protect PHI as it was transmitted electronically.

Banner Health admitted no wrongdoing but agreed to pay $1.25 million to OCR. The health system also agreed to conduct a thorough risk analysis to determine vulnerabilities, and develop an internal risk management plan to maintain the integrity and availability of PHI.

“Hackers continue to threaten the privacy and security of patient information held by health care organizations, including our nation’s hospitals. It is imperative that hospitals and other covered entities and business associates be vigilant in taking robust steps to protect their systems, data, and records, and this begins with understanding their risks, and taking action to prevent, respond to and combat such cyber-attacks.” said OCR Director Melanie Fontes Rainer.

“The Office for Civil Rights provides help and support to health care organizations to protect against cyber security threats and comply with their obligations under the HIPAA Security Rule. Cyber security is on all of us, and we must take steps to protect our health care systems from these attacks.”

This is not the first time that Banner Health has faced consequences as a result of the 2016 breach. In 2020, Banner Health settled a class action lawsuit requiring the health system o pay up to $8.9 million to the individuals impacted by the breach.

Next Steps

Dig Deeper on HIPAA compliance and regulation