Banner Well being pays $1.25 million to settle cybersecurity breach that affected practically 3 million individuals
At present, the U.S. Division of Well being and Human Providers’ Workplace for Civil Rights (OCR) introduced a settlement with Banner Well being Affiliated Lined Entities (“Banner Well being”), a nonprofit well being system headquartered in Phoenix, Arizona, to resolve an information breach ensuing from a hacking incident by a risk actor in 2016 which disclosed the protected well being data of two.81 million shoppers. The settlement is concerning the Well being Insurance coverage Portability and Accountability Act (HIPAA) Safety Rule which works to assist shield well being data and knowledge from cybersecurity assaults. The potential violations particularly embrace: the dearth of an evaluation to find out dangers and vulnerabilities to digital protected well being data throughout the group, inadequate monitoring of its well being data programs’ exercise to guard towards a cyber-attack, failure to implement an authentication course of to safeguard its digital protected well being data, and failure to have safety measures in place to guard digital protected well being data from unauthorized entry when it was being transmitted electronically. Because of this, Banner Well being paid $1,250,000 to OCR and agreed to implement a corrective motion plan, which identifies steps Banner Well being will take to resolve these potential violations of the HIPAA Safety Rule and shield the safety of digital affected person well being data.
“Hackers proceed to threaten the privateness and safety of affected person data held by well being care organizations, together with our nation’s hospitals,” mentioned OCR Director Melanie Fontes Rainer. “It’s crucial that hospitals and different lined entities and enterprise associates be vigilant in taking sturdy steps to guard their programs, knowledge, and data, and this begins with understanding their dangers, and taking motion to forestall, reply to and fight such cyber-attacks. The Workplace for Civil Rights gives assist and help to well being care organizations to guard towards cyber safety threats and adjust to their obligations below the HIPAA Safety Rule. Cyber safety is on all of us, and we should take steps to guard our well being care programs from these assaults.”
In November 2016, OCR initiated an investigation of Banner Well being following the receipt of a breach report stating {that a} risk actor had gained unauthorized entry to digital protected well being data, probably affecting hundreds of thousands. The hacker accessed protected well being data that included affected person names, doctor names, dates of beginning, addresses, Social Safety numbers, scientific particulars, dates of service, claims data, lab outcomes, drugs, diagnoses and situations, and medical insurance data.
Banner Well being is likely one of the largest non-profit well being programs within the nation, with over 50,000 staff and working in six states. Banner Well being is the biggest employer in Arizona, and one of many largest in northern Colorado. OCR’s investigation discovered proof of long run, pervasive noncompliance with the HIPAA Safety Rule throughout Banner Well being’s group, a critical concern given the dimensions of this lined entity. Organizations should be proactive of their efforts to commonly monitor system exercise for hacking incidents and have measures in place to sufficiently safeguard affected person data from danger throughout their complete community.
Along with the financial settlement, Banner Well being will undertake steps below a complete corrective motion plan that shall be monitored for 2 years by OCR to make sure compliance with the HIPAA Safety Rule. Banner has agreed to take the next steps:
- Conduct an correct and thorough danger evaluation to find out dangers and vulnerabilities to digital affected person/system knowledge throughout the group
- Develop and implement a danger administration plan to handle recognized dangers and vulnerabilities to the confidentiality, integrity, and availability of ePHI
- Develop, implement, and distribute insurance policies and procedures for a danger evaluation and danger administration plan, the common assessment of exercise inside their data programs, an authentication course of to supply safeguards to knowledge and data, and safety measures to guard digital protected well being data from unauthorized entry when it’s being transmitted electronically, and
- Report back to HHS inside thirty (30) days when workforce members fail to adjust to the HIPAA Safety Rule.
The decision settlement and corrective motion plan could also be discovered at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/banner-health-ra-cap/index.html
Cybersecurity incidents and knowledge breaches proceed to extend throughout all industries. Seventy-four p.c (74%) of the breaches reported to OCR in 2021 concerned hacking/IT incidents. Within the well being care sector, hacking is now the best risk to the privateness and safety of protected well being data. The Biden-Harris Administration has introduced a relentless focus to enhancing america’ cyber defenses, constructing a complete strategy to “lock our digital doorways” and taking aggressive motion to strengthen and safeguard our nation’s cybersecurity. OCR helps this name to motion by providing an array of assets to assist well being care organizations bolster their cybersecurity posture and adjust to the HIPAA Guidelines, out there at: https://www.hhs.gov/hipaa/for-professionals/safety/steerage/index.html
OCR is dedicated to imposing the HIPAA Guidelines that shield the privateness and safety of peoples’ well being data. For those who consider that your or one other particular person’s well being data privateness or civil rights have been violated, you may file a criticism with OCR at https://www.hhs.gov/ocr/complaints/index.html.
