Banner Health gets hit again, breach leads to class actions

The recent Banner Health breach of protected health information (PHI) and payment card data of 3.7 million patients, members, beneficiaries, food and beverage outlet customers, and providers was the “direct result of Banner Health’s failure to implement adequate cybersecurity measures,” according to two class-action complaints filed against the nonprofit health system.

Breach

The data breach was discovered at certain Banner Health food and beverage outlets on July 7, 2016, and on a limited number of its computer servers on July 13, 2016. The type of data compromised differs for different groups. For patients, compromised data includes: names, birthdates, addresses, physicians’ names, dates of service, clinical information, health insurance information, and social security numbers. For members and beneficiaries, compromised data includes: names, birthdates, social security numbers, addresses, dates of service and claims information, and health insurance information as a current or former member of a Banner Health plan, or as a beneficiary of a Banner Health employee benefits plan. As part of its notification process, Banner made impacted individuals aware of an offer of a free one-year membership in credit monitoring services (see Banner Health breach potentially affects millions, Health Law Daily, August 4, 2016).

Federal complaint

One of the complaints—filed in federal district court by a physician assistant and medical services provider within the Banner Health system—alleges that Banner improperly safeguarded against attacks and, since the breach, has taken inadequate measures to compensate individuals impacted by the breach. The complaint charges Banner with failing to increase cybersecurity protections despite a recent wave of high-profile data breaches and Banner’s knowledge of the need for heightened security measures. The federal complaint also criticizes the lag in time between Banner’s identification of the breach and its first statement acknowledging the cyber-attack. Additionally, the complaint calls the statement “underwhelming,” noting that Banner is either withholding information from the public or has been unable to determine critical details concerning the breach.

State complaint

The other complaint—filed in Arizona state court by a physician who is a former Banner employee and a former enrollee in a Banner insurance plan—accuses Banner of negligence and alleges that class members should be entitled to recover the costs associated with “the detection and prevention of identify theft and medical-identify theft, including credit monitoring, identity theft consultation, and identify restoration.” The state complaint alleges that Banner breached contractual obligations to protect employee, patient, and plan member information. The complaint also claims that the public disclosure of individual’s data constitutes an invasion of privacy. The firm that filed the lawsuit—Hagens Berman Sobol Shapiro—is seeking members to join the class.