OCR investigating Banner Health for 2016 breach of 3.7 million patient records
The U.S Department of Health and Human Services’ Office of Civil Rights is investigating Banner Health over its 2016 breach that exposed the data of 3.7 million patients at 27 locations, according to year-end financials.
In June 2016, hackers got into Banner’s payment processing system at its food and beverage outlets, which they used as a gateway into the network and eventually the servers containing patient data.
While officials said the Arizona-based health system is cooperating with the OCR investigation, OCR indicated Banner’s initial responses about its security program were inadequate.
While Banner supplemented those responses, officials expect to receive negative findings with respect to its security program from the OCR, in addition to fines.
“At this point, it’s not possible to estimate the range of potential fines by the OCR,” the report read.
It’s unknown how much the OCR will penalize the health system, as the penalties are based on issues such as a history of non-compliance, the number of patients impacted and the like. The OCR also takes into consideration revenue to reflect the amount an organization is able to pay.
For example, Illinois-based Center for Children’s Digestive Health, a small, for-profit pediatric specialty practice, was fined just $41,000 by the OCR in April 2017 for failing to obtain a business associate’s agreement.
On the other end of the spectrum, 21st Century Oncology settled with OCR for $2.3 million in Dec. 2017 for a 2015 breach of 2.2 million patient records, similar in scope to Banner’s incident.
Banner is already fighting a class-action lawsuit over the breach. In December, the judge overseeing the lawsuit tossed out some of the claims against the health system. But it was determined the victims sufficiently demonstrated the massive breach presents impending injury.
Breach lawsuits against health organizations are becoming more prevalent given the increasing scope of breaches.
Anthem settled with its breach victims in 2017 for $115 million over its massive data breach in 2015. And CareFirst, which faced a breach of 1.1 million patient records in 2015, was just denied an appeal of its lawsuit by the Supreme Court last month.