Banner Health hit with settlement following 2016 cyberattack

The settlement is in response to a cybersecurity hack Banner Health was plagued with in 2016, where 2.81 million consumers had health information compromised.
Published: Feb. 2, 2023 at 8:19 PM MST
Email This Link
Share on Pinterest
Share on LinkedIn

PHOENIX (3TV/CBS 5) - Banner Health must pay up after a devastating cybersecurity hack that impacted nearly 3 million consumers. The nonprofit health system was ordered to pay $1.2 million to the U.S. Department of Health and Human Services and make changes to data security. This settlement is in response to a cybersecurity hack Banner Health was plagued with back in 2016. The incident compromised the health information of 2.81 million consumers.

Banner Health released this statement:

As a result of Banner’s self-report to the Office for Civil Rights, the OCR initiated a compliance review in 2016 which recently concluded. As a result of this review and its findings, Banner has entered into a voluntary settlement agreement with the OCR. “We are pleased to resolve this matter and will continue to work diligently in the best interests of our patients, employees and physicians,” officials said.

On top of the monetary settlement, Banner must also be monitored for two years by the Office of Civil Rights and do the following:

  • Conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic patient/system data across the organization
  • Develop and implement a risk management plan to address identified risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI
  • Develop, implement, and distribute policies and procedures for a risk analysis and risk management plan, the regular review of activity within their information systems, an authentication process to provide safeguards to data and records, and security measures to protect electronic protected health information from unauthorized access when it is being transmitted electronically
  • Report to HHS within 30 days when workforce members fail to comply with the HIPAA Security Rule.

While Banner Health works to make its system safer, cybersecurity experts in Arizona said hacks like this could happen to any business. “We see them on the rise and we stop them every day,” said Jacob Liff, a cybersecurity expert with iCoreConnect. The FBI tracks crime that happens on the internet. In 2021, they reported more than 800,000 cases with more than $6.9 billion lost.

Liff, who works to protect small businesses from cyberattacks, said it’s important to always be vigilant no matter the size of your company. “The scary thing is these aren’t always targeted attacks; they will cast a really wide net and whoever gets caught in that net gets caught. It doesn’t matter if you’re a big company or a small company,” he said.

Some advice Liff offers is to keep your software up to date, invest in antivirus programs and think before you click on suspicious emails. If you feel you are the victim of a hack, it’s important to act quickly and report it to the FBI.