Banner-University Medicine Pays Government $1.25M After 2016 Breach
A hacking that occurred seven years ago involving medical records for 2.8 million individuals has cost Banner-University Medicine $1.25 million, the HHS Office for Civil Rights (OCR) announced Feb. 2. In addition to the payment, Banner officials agreed to implement a corrective action plan (CAP). The settlement resolves allegations that Banner violated HIPAA regulations through the “lack of an analysis to determine risks and vulnerabilities to electronic protected health information across the organization, insufficient monitoring of its health information systems’ activity to protect against a cyber-attack, failure to implement an authentication process to safeguard its electronic protected health information, and failure to have security measures in place to protect electronic protected health information from unauthorized access when it was being transmitted electronically,” according to OCR. Banner did not admit fault as part of the settlement.
In July 2016, a hacker “accessed protected health information that included patient names, physician names, dates of birth, addresses, Social Security numbers, clinical details, dates of service, claims information, lab results, medications, diagnoses and conditions, and health insurance information,” the agency said. “OCR’s investigation found evidence of long term, pervasive noncompliance with the HIPAA Security Rule across Banner Health’s organization, a serious concern given the size of this covered entity. Organizations must be proactive in their efforts to regularly monitor system activity for hacking incidents and have measures in place to sufficiently safeguard patient information from risk across their entire network.” Among the actions Banner must take during a two-year CAP include conducting an “accurate, thorough, enterprise-wide analysis of security risks and vulnerabilities that incorporates all electronic equipment, data systems, programs and applications controlled, administered, owned, or shared by Banner or its affiliates … that contain, store, transmit or receive Banner” electronic health information; developing an associated risk management plan; and revising policies and procedures related to information system activity review, person or entity authentication and transmission security.