Privacy & Security

OCR investigating Banner Health for 2016 breach of 3.7 million patient records

The Arizona health system is cooperating with the investigation but expects to receive negative findings and a potential fine.
By Jessica Davis
March 21, 2018
12:34 PM

The U.S Department of Health and Human Services’ Office of Civil Rights is investigating Banner Health over its 2016 breach that exposed the data of 3.7 million patients at 27 locations, according to year-end financials.

In June 2016, hackers got into Banner’s payment processing system at its food and beverage outlets, which they used as a gateway into the network and eventually the servers containing patient data.

While officials said the Arizona-based health system is cooperating with the OCR investigation, OCR indicated Banner’s initial responses about its security program were inadequate.

[Also: The biggest healthcare data breaches of 2018 (so far)]

While Banner supplemented those responses, officials expect to receive negative findings with respect to its security program from the OCR, in addition to fines.

“At this point, it’s not possible to estimate the range of potential fines by the OCR,” the report read.

It’s unknown how much the OCR will penalize the health system, as the penalties are based on issues such as a history of non-compliance, the number of patients impacted and the like. The OCR also takes into consideration revenue to reflect the amount an organization is able to pay.

For example, Illinois-based Center for Children’s Digestive Health, a small, for-profit pediatric specialty practice, was fined just $41,000 by the OCR in April 2017 for failing to obtain a business associate’s agreement.

On the other end of the spectrum, 21st Century Oncology settled with OCR for $2.3 million in Dec. 2017 for a 2015 breach of 2.2 million patient records, similar in scope to Banner’s incident.

Banner is already fighting a class-action lawsuit over the breach. In December, the judge overseeing the lawsuit tossed out some of the claims against the health system. But it was determined the victims sufficiently demonstrated the massive breach presents impending injury.

Breach lawsuits against health organizations are becoming more prevalent given the increasing scope of breaches.

Anthem settled with its breach victims in 2017 for $115 million over its massive data breach in 2015. And CareFirst, which faced a breach of 1.1 million patient records in 2015, was just denied an appeal of its lawsuit by the Supreme Court last month.

 

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com

Topics: 
Compliance & Legal, Privacy & Security

More regional news

Man with backpack on mobile device

A roadmap for designing more inclusive health chatbots

By
Andrea Fox
May 03, 2024
HIMSSCast logo

HIMSSCast: How to get more value from your EHR system

By
Bill Siwicki
May 03, 2024
Researcher at screen

NVIDIA integrates its AI microservices with AWS

By
Nathan Eddy
May 03, 2024
Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.

Top Story

Man with backpack on mobile device
A roadmap for designing more inclusive health chatbots

Most Read

How the Change Healthcare cyberattack is straining providers, and what the government can do
HHS response to cash flow concerns from Change cyberattack inadequate, providers say
After Change Healthcare, more effort needed to avoid cyberattack chain reactions
HIMSS24 preview: combating counterfeit drugs in a health system
HIMSSCast: Web apps are ubiquitous in healthcare – and come with vulnerabilities
Change Healthcare begins to restore service after cyberattack – as lawsuits begin

Research

White Papers

More Whitepapers

Compliance & Legal
Artificial Intelligence
Analytics

Webinars

More Webinars

Privacy & Security
Artificial Intelligence
Analytics

Video

Christopher Falkner at Sodexo_Palm trees and skyscrapers in Orlando Photo by Gabriele Maltinti/iStock/Getty Images Plus
Making a career of medical device interoperability and security
Jessica Skopac at MITRE_Palm trees and skyscrapers in Orlando Photo by Gabriele Maltinti/iStock/Getty Images Plus
How MITRE helps break the silos of healthcare and technology
Emily Barey at Epic_Palm trees and skyscrapers in Orlando Photo by Gabriele Maltinti/iStock/Getty Images Plus
Saying 'yes' to the possibilities of a health IT career
Abigail Norville at the Netherlands Ministry of Health_Palm trees and skyscrapers in Orlando Photo by Gabriele Maltinti/iStock/Getty Images Plus
How the Dutch health ministry takes innovation inspiration from other nations

More Stories

Dr. Guido Giunti at Trinity College Dublin_Palm trees and skyscrapers in Orlando Photo by Gabriele Maltinti/iStock/Getty Images Plus
Novel digital therapeutics for MS empower patients
Walmart store
Walmart announces closing of clinics and virtual care
Hacker with glasses and hat looking at two screens with data and code
Ransomware was used in 72% of network intrusions last year, says BakerHostetler
Amanda Bury, chief commercial officer at Infermedica
Telemedicine, enabled with responsible AI, can improve the patient experience
Kendall Brown at CenTrak_Palm trees and skyscrapers in Orlando Photo by Gabriele Maltinti/iStock/Getty Images Plus
How HIMSS membership can grow healthcare careers
Nurse using tablet
To get stronger AI buy-in from wary nurses, start with automation
Ellen Arigorat at NewYork-Presbyterian Hospital Palm trees and skyscrapers in Orlando Photo by Gabriele Maltinti/iStock/Getty Images Plus
HIMSS Changemaker champions Filipino-American health literacy
Doctors review practice finances
LLMs are not ready to automate clinical coding, says Mount Sinai study