2016 Banner Health Data Breach Likely to See Financial Penalty From OCR

Banner Health issued a financial report mentioning OCR’s investigation of the colossal 2016 Banner Health data breach. In the said breach incident, 27 Banner Health facilities located in Alaska, Arizona, Colorado, California, Nevada, Nebraska, and Wyoming were affected. The protected health information of 3.7 million patients was exposed. Sensitive information such as names, birth dates, Social Security numbers and health insurance information was compromised. Although the attackers accessed the payment processing system of food and beverage outlets, they were also able to access the servers containing PHI.

Banner Health has been cooperating with OCR’s investigation of the breach. Information was made available as requested, but OCR seems to doubt the evidence supplied by Banner Health regarding its HIPAA compliance efforts. OCR was particularly not satisfied with the documentation of Banner Health’s “past security assessment activities.” It was rated as inadequate.

Despite the additional evidence of security efforts provided by Banner Health, with the negative findings, Banner Health anticipates that OCR will pursue a financial penalty. The only question is how much is the penalty. OCR investigates all data breaches that affect over 500 healthcare records. Issued fines of up to $1.5 million per violation category per year is possible. There have been cases of HIPAA violations persisting over several years and cases having multiple HIPAA rules violations that get multi-million dollar penalties.

Looking at previous HIPAA settlements, a breach this huge is likely to see fines in the upper limit. Aside from the potential fine from OCR for HIPAA violations, plaintiffs affected by the breach filed nine lawsuits, which was consolidated into one class action lawsuit. Although there were many data breach lawsuits dismissed in the past, this one is likely to progress. Plaintiffs have already demonstrated impending injury because of the exposure and theft of their sensitive information.

Banner Health has an insurance policy covering cyberattacks. In case Banner Health’s efforts in defending against the lawsuit fail, it’s very likely that a substantial amount of the settlement and legal costs will be covered by the insurance policy.