Over 1950 Total Lots Up For Auction at Two Locations - NJ Cleansweep 06/13, NJ 06/14

Spanish SpanishPortuguese Portuguese

Banner Health settles hacking incident that exposed data of 2.81 million for $1.25 million

by John R. Fischer, Senior Reporter | February 10, 2023
Business Affairs Cyber Security Health IT
Share
Banner Health has paid $1.25 million to settle HIPAA violations that led to a hack that exposed data of 2.81 million.
Banner Health Affiliated Covered Entities, based in Phoenix, will pay $1.25 million to the U.S. Department of Health and Human Services for a hacking incident that leaked 2.81 million patients’ protected health information.

The incident occurred in 2016, with the hacker accessing patient names, physician names, dates of birth, addresses, social security numbers, clinical details, dates of service, claims information, lab results, medications, diagnoses and conditions, and health insurance information.

An investigation found Banner Health was, for a long time, not compliant with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, lacking analysis of potential vulnerabilities to its electronic PHI (protected health information) across the organization; sufficient monitoring of health information system cybersecurity measures; an authentication process; and measures for protecting PHI from unauthorized access when transmitted.

“It is imperative that hospitals and other covered entities and business associates be vigilant in taking robust steps to protect their systems, data and records, and this begins with understanding their risks, and taking action to prevent, respond to and combat such cyberattacks,” said OCR Director Melanie Fontes Rainer in a statement.

Banner Health is one of the largest nonprofit health systems in the U.S., operating in six states with more than 50,000 employees.

Along with the settlement amount, the organization will abide by a comprehensive corrective action plan that complies with the HIPAA Security Rule, and will be monitored for two years by OCR.

The plan's steps are:

  • Conducting accurate and thorough risk analysis to identify vulnerabilities to electronic patient/system data across the organization
  • Implementing a risk management plan to address risks to confidentiality, integrity and availability of ePHI
  • Developing policies for risk analysis and risk management plans, regularly reviewing activity within information systems, an authentication process, and security measures to protect electronic PHI from unauthorized access when transmitted
  • Reporting to HHS within 30 days when workforce members fail to comply with the HIPAA Security Rule
Sign up for Business Affairs stories Sign up for Weekly Top stories

You Must Be Logged In To Post A Comment

Sign up for Weekly Top stories

Sign up for Business Affairs stories

 

advertisement

Business Affairs Homepage

Are you ready for FIME 2024?
Top five takeaways from physician compensation report
BD takes critical care business from Edwards Lifesciences for $4.2 billion
Surmodics sells to private equity firm for $627 million
Former West Virginia hospital CEO-turned-mayor pleads guilty to stealing hospital funds
Diversifying revenue stream using patient payments
Tampa General taps GE HealthCare for outpatient imaging tech
Leveling the playing field: AI-assisted prior authorization can drive more equitable care
Cape Regional Health System gets OK to join Cooper University Health Care
Microsoft unveils whole-slide model for digital pathology