DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

HHS OCR Settles HIPAA Investigation with Banner Health Following 2016 Hacking Incident

Posted on February 3, 2023 by Dissent

The following is a press release from HHS. It is an update to a 2016 hacking incident previously covered on this site. The incident also resulted in a class action lawsuit that was settled for $6 million in 2019.

February 02, 2023

Today, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced a settlement with Banner Health Affiliated Covered Entities (“Banner Health”), a nonprofit health system headquartered in Phoenix, Arizona, to resolve a data breach resulting from a hacking incident by a threat actor in 2016 which disclosed the protected health information of 2.81 million consumers.  The settlement is regarding the Health Insurance Portability and Accountability Act (HIPAA) Security Rule which works to help protect health information and data from cybersecurity attacks.  The potential violations specifically include: the lack of an analysis to determine risks and vulnerabilities to electronic protected health information across the organization, insufficient monitoring of its health information systems’ activity to protect against a cyber-attack, failure to implement an authentication process to safeguard its electronic protected health information, and failure to have security measures in place to protect electronic protected health information from unauthorized access when it was being transmitted electronically.  As a result, Banner Health paid $1,250,000 to OCR and agreed to implement a corrective action plan, which identifies steps Banner Health will take to resolve these potential violations of the HIPAA Security Rule and protect the security of electronic patient health information.

“Hackers continue to threaten the privacy and security of patient information held by health care organizations, including our nation’s hospitals,” said OCR Director Melanie Fontes Rainer. “It is imperative that hospitals and other covered entities and business associates be vigilant in taking robust steps to protect their systems, data, and records, and this begins with understanding their risks, and taking action to prevent, respond to and combat such cyber-attacks. The Office for Civil Rights provides help and support to health care organizations to protect against cyber security threats and comply with their obligations under the HIPAA Security Rule. Cyber security is on all of us, and we must take steps to protect our health care systems from these attacks.”

In November 2016, OCR initiated an investigation of Banner Health following the receipt of a breach report stating that a threat actor had gained unauthorized access to electronic protected health information, potentially affecting millions.  The hacker accessed protected health information that included patient names, physician names, dates of birth, addresses, Social Security numbers, clinical details, dates of service, claims information, lab results, medications, diagnoses and conditions, and health insurance information.

Banner Health is one of the largest non-profit health systems in the country, with over 50,000 employees and operating in six states. Banner Health is the largest employer in Arizona, and one of the largest in northern Colorado. OCR’s investigation found evidence of long term, pervasive noncompliance with the HIPAA Security Rule across Banner Health’s organization, a serious concern given the size of this covered entity. Organizations must be proactive in their efforts to regularly monitor system activity for hacking incidents and have measures in place to sufficiently safeguard patient information from risk across their entire network.

In addition to the monetary settlement, Banner Health will undertake steps under a comprehensive corrective action plan that will be monitored for two years by OCR to ensure compliance with the HIPAA Security Rule. Banner has agreed to take the following steps:

  • Conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic patient/system data across the organization
  • Develop and implement a risk management plan to address identified risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI
  • Develop, implement, and distribute policies and procedures for a risk analysis and risk management plan, the regular review of activity within their information systems, an authentication process to provide safeguards to data and records, and security measures to protect electronic protected health information from unauthorized access when it is being transmitted electronically, and
  • Report to HHS within thirty (30) days when workforce members fail to comply with the HIPAA Security Rule.

The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/banner-health-ra-cap/index.html

Cybersecurity incidents and data breaches continue to increase across all industries. Seventy-four percent (74%) of the breaches reported to OCR in 2021 involved hacking/IT incidents. In the health care sector, hacking is now the greatest threat to the privacy and security of protected health information. The Biden-Harris Administration has brought a relentless focus to improving the United States’ cyber defenses, building a comprehensive approach to “lock our digital doors” and taking aggressive action to strengthen and safeguard our nation’s cybersecurity. OCR supports this call to action by offering an array of resources to help health care organizations bolster their cybersecurity posture and comply with the HIPAA Rules, available at: https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html

OCR is committed to enforcing the HIPAA Rules that protect the privacy and security of peoples’ health information. If you believe that your or another person’s health information privacy or civil rights have been violated, you can file a complaint with OCR at https://www.hhs.gov/ocr/complaints/index.html.

###

Related posts:

  • HIPAA Security Rule Facility Access Controls – What are they and how do you implement them?
  • HHS Office for Civil Rights Imposes a $240,000 Civil Monetary Penalty Against Providence Medical Institute in HIPAA Ransomware Cybersecurity Investigation
  • HHS’ Office for Civil Rights Settles Malicious Insider Cybersecurity Investigation for $4.75 Million
  • HHS Office for Civil Rights Settles HIPAA Ransomware Cybersecurity Investigation for $90,000
Category: Breach IncidentsCommentaries and AnalysesHackHealth DataHIPAALegislationOf Note

Post navigation

← British Columbia: Mandatory breach reporting and privacy management program requirements now in effect for public bodies
FL: Tallahassee Memorial hospital victim of suspected ransomware attack →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.