Banner Health has agreed to a $1.25 million civil monetary penalty with the Office for Civil Rights to resolve potential violations of the Health Insurance Portability and Accountability Act brought to light after its massive 2016 data breach.
The press release stressed that given the size of the organization, the OCR’s findings were “a serious concern.”
Banner Health is one of the largest non-profit U.S. health systems, with over 50,000 employees across six states. It’s the largest employer in Arizona. The OCR investigation into the massive data breach “found evidence of long term, pervasive noncompliance with the HIPAA Security Rule across Banner Health’s organization.”
OCR found Banner Health failed to perform a risk analysis for its electronic protected health information or employ sufficient monitoring for its health IT systems to protect against cyber threats.
The audit also found the health system lacked an authentication process to verify users’ identities and determined the health system did not have the technical security measures needed to protect transmitted health information from unauthorized access.
In March 2018, the Department of Health and Human Services announced it was investigating the health system in response to its reported healthcare data breach in 2016.
The data of 2.81 million patients from 27 Banner Health system locations was exposed after the hack of its payment processing system at its food and beverage outlets. What’s more, the system intrusion was not detected for over a month.
The attackers used the compromised platform as a gateway into the Banner network, which led to the subsequent hack of servers that contained patient data that included Social Security numbers, dates of birth, contact information, and a host of personal healthcare information.
Banner Health cooperated with the investigation. But at the time the investigation was announced, OCR indicated its initial responses about Banner’s security program were inadequate. Officials expected to find negative responses, which would lead to fines.
Five years after the audit was announced and nearly seven years after the reported incident, the OCR audit shows a host of security failings that should serve as a warning to other healthcare covered entities.
The resolution agreement with OCR is not an admission or concession of liability by Banner.
In addition to the monetary penalty, Banner Health has agreed to implement a corrective action plan that includes the steps its security team will take to resolve the possible HIPAA failures.
Under the CAP and as HIPAA requires, Banner Health must conduct a thorough and accurate risk analysis across the enterprise network to determine potential security risks and vulnerabilities of all electronic equipment, data systems, programs, and applications at each of its many care sites.
This process must include the development of a complete inventory of all electronic equipment, data systems, off-site data storage facilities, and applications that hold ePHI. Banner must incorporate this information into its risk analysis and provide it to HHS within 90 days.
Banner must also develop and implement a risk management plan that includes its plans to address and mitigate all possible security risks and vulnerabilities identified in its risk analysis, which should also include a process and a timely for risk remediation measures. The security team must also create and maintain HIPAA security policies and procedures.
The new processes and documentation must be distributed to all relevant workforce, who will need to be trained on the measure to ensure compliance.
This is the second enforcement action brought against Banner Health in the last two years. OCR levied a $200,000 civil monetary penalty against the health system in January 2021 to resolve possible violations of the HIPAA Privacy Rule's right of access standard. OCR launched an audit into Banner Health after multiple patient complaints claimed it took over six months to receive their requested records.
OCR Director Melanie Fontes Rainer reminded covered entities and relevant business associates that OCR is designed to provide support to healthcare organizations in protecting against cyber threats and potential HIPAA compliance issues.
“It’s imperative that hospitals and other covered entities and business associates be vigilant in taking robust steps to protect their systems, data, and records, and this begins with understanding their risks, and taking action to prevent, respond to and combat such cyberattacks,” Rainer said in a statement.
“Cybersecurity is on all of us, and we must take steps to protect our health care systems from these attacks,” she added. Entities must proactively and routinely monitor system activity for hacking incidents, while sufficiently safeguarding patient data across their entire network.
With the $1.25 million settlement, the 2016 incident has now cost Banner Health well over $10 million. In April 2020, a federal judge of the US District Court of Arizona gave final approval for an $8.9 million settlement with the patients, members and beneficiaries, providers, and food and beverage outlet customers, affected by the incident.
The settlement included a requirement for the Arizona health system to improve its information security program.