Phoenix-based Banner Health has agreed to pay $6 million to victims of its 2016 data breach. Banner Health will pay an additional $2.9 million for legal costs.
The settlement will allow breach victims to submit reimbursement claims for expenses incurred by the breach. For ordinary expenses, the reimbursement is capped at $500 per victim. For extraordinary expenses, victims can be reimbursed up to $10,000. This includes out-of-pocket costs and time lost due to identity theft or fraud.
In December 2019, the preliminary settlement was approved in the United States District Court for the District of Arizona. The proposed settlement also included an additional two years of credit monitoring services for victims, as well as an agreement by Banner Health to improve its system’s security.
In 2016, cyber attackers gained unauthorized access to Banner Health’s computer servers that process payment card data at certain Banner Health food and beverage outlets. Investigators believe that the original attack occurred on June 17, 2016. The cyber attackers continued to access the systems between June 17, 2016 and July 7, 2016.
The cyberattack exposed the records of an estimated 3.7 million patients, employees and others. The exposed information included names, birthdates, social security numbers, addresses, physician names, dates of service, clinical information, health insurance information, and provider information.
Banner Health owns and operates 29 hospitals in seven states and is one of the largest, nonprofit health care systems in the country. Banner Health has more than 50,000 employees, making it one of the country’s largest employers as well. Banner Health’s University Medicine Orthopedic Institute provides a range of services and support including advanced care for back pain, joint issues and bones that are not healing.
There has been a recent trend of patients suing hospitals for data breaches. For OTW’s coverage of another recent data breach lawsuit, see “Victims Can Sue Ortho Clinics if Data Hacked.”
