Banner Health has agreed to a $1.25 million civil monetary penalty with the Office for Civil Rights to resolve potential violations of the Health Insurance Portability and Accountability Act brought to light after its massive 2016 data breach.
The press release stressed that given the size of the organization, the OCR’s findings were “a serious concern.”
Banner Health is one of the largest non-profit US health systems, with over 50,000 employees across six states. It’s the largest employer in Arizona. The OCR investigation into the massive data breach “found evidence of long term, pervasive noncompliance with the HIPAA Security Rule across Banner Health’s organization.”
OCR found Banner Health failed to perform a risk analysis for its electronically protected health information or employ sufficient monitoring for its health IT systems to protect against cyber threats.
The audit also found the health system lacked an authentication process to verify users’ identities and determined the health system did not have the technical security measures needed to protect transmitted health information from unauthorized access.
In March 2018, the Department of Health and Human Services announced it was investigating the health system in response to its reported healthcare data breach in 2016.
The data of 2.81 million patients from 27 Banner Health system locations was exposed after the hack of its payment processing system at its food and beverage outlets. What’s more, the system intrusion was not detected for over a month.
The attackers used the compromised platform as a gateway into the Banner network, which led to the subsequent hack of servers that contained patient data that included Social Security numbers, dates of birth, contact information, and a host of personal healthcare information.
Banner Health cooperated with the investigation. But at the time the investigation was announced, OCR indicated its initial responses about Banner’s