Getty Images/iStockphoto

Judge Approves $8.9M Banner Health Settlement Over 2016 Data Breach

The approved settlement stipulates Banner Health must improve its information security program and pay up to $8.9 million to the 3.7 million patients impacted by the June 2016 data breach.

A Federal judge of the US District Court of Arizona has given final approval for the class-action lawsuit against Banner Health, stemming from its June 2016 data breach that impacted more than 3.7 million patients, members and beneficiaries, providers, and food and beverage outlet customers.

First proposed in December 2019, the settlement includes both monetary payments for breach victims and a requirement for the Arizona health system to improve its information security program.

Banner Health first announced the breach of its food and beverage outlets’ payment processing system in June 2016. Hackers were able to leverage the system to gain access into the Banner Health network, which led to a hack of its servers containing patient data of millions of patients.

What’s worse, the breach was not discovered until a month later in July 2016. The investigation revealed hackers were able to steal a trove of sensitive information, including Social Security numbers, health insurance data of current and former Banner Health patients, and claims data.

The breach victims soon filed a class-action lawsuit, claiming “Banner failed to thoroughly investigate and harden their systems against the identified risks up to and through the 2016 data breach.” A year later, some of the initial claims were tossed by the judge. But the parties reached preliminary agreement in December.

According to court documents, breach victims will be able to request reimbursement claims for expenses incurred due to the breach. The reimbursement is capped at $500 per breach victim for typical expenses and up to $10,000 for extraordinary expenses, including out-of-pocket costs and time lost over identity theft or fraud.

Banner Health will also provide all breach victims with two years of free, additional credit monitoring, which will not overlap with what was offered during health system’s initial breach notification. The offer includes dark web monitoring, threat alerts provided by IBM Watson’s AI platform, and safe browsing software.

The approval makes it one of the largest breach-related settlements in healthcare. While Premera has the largest settlement for $74 million over its breach of 10.6 million patients, UCLA recently settled with its 4.5 million breach victims for $7.5 million and Washington State University’s breach settlement April 2019 totaled $4.7 million.

In the last year, breach lawsuits have become more commonplace, with DCH HealthUW Medicine, LifeLabs, MU Health, Hackensack Meridian Health, Health Quest, Tidelands Health, and Solara Medical all facing breach lawsuits filed within the last eight months.

Next Steps

Dig Deeper on Health data access & privacy