Banner Health has agreed to settle alleged violations of the HIPAA Security Rule with the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) and will pay a $1.25 million financial penalty. Banner Health will also adopt a corrective action plan to ensure full compliance with the HIPAA Security Rule and will be monitored by OCR for two years.
The OCR investigation into HIPAA Security Rule compliance was initiated after OCR was informed about a 2016 data breach involving the personal and protected health information of 3.7 million individuals – the largest U.S. healthcare data breach of the year. Hackers gained access to the payment processing system of the food and beverage outlets at its 30 hospitals, and also accessed servers containing the protected health information of 2.81 million patients. The hackers had access to its systems for a month before the breach was detected.
The financial penalty has not come as a surprise for Banner Health, which anticipated a possible financial penalty back in 2018. While Banner Health said it cooperated fully with the investigation, OCR was reportedly not satisfied with the documentation Banner Health provided detailing its past security assessment activities. The resolution settlement indicates Banner Health was unable to provide documentation that demonstrated full compliance with the HIPAA Security Rule. Announcing the settlement, OCR said it had uncovered, “evidence of long-term, pervasive noncompliance with the HIPAA Security Rule across Banner Health’s organization.” Specifically, Banner Health was unable to sufficiently demonstrate it had conducted accurate, organization-wide risk analyses to identify risks and vulnerabilities to electronic protected health information (ePHI), nor demonstrate that it had regularly reviewed records of information system activity to identify suspicious behavior. Insufficient measures had been implemented to verify the identity of individuals seeking access to ePHI and there were insufficient technical security measures in place to protect ePHI transmitted over a communications network.
OCR said the HIPAA Security Rule violations were particularly concerning due to the size of the organization. Banner Health is one of the largest non-profit health systems in the country. Banner Health operates in 6 states, employs more than 50,000 people, and currently serves more than 1 million members through its provider networks. In addition to the OCR financial penalty, Banner Health agreed to implement a corrective action plan to address all areas of alleged noncompliance with the HIPAA Rule and will develop, implement, and train staff on policies and procedures covering risk analyses, information systems activity log reviews, and authentication.
Banner Health was also sued for the data breach and settled the class action lawsuit. In 2020, the $8.9 million settlement was approved by a federal judge and required Banner Health to improve its information security program. Both the class action lawsuit and OCR investigation were settled with no admission of wrongdoing.