News Feature | August 19, 2016

Banner Health Breach Leads To Class-Action Suit

Christine Kern

By Christine Kern, contributing writer

Banner Health Breach Suit

Latest attack demonstrates the potential costs of a data breach beyond lost data.

Banner Health is the latest victim of a data breach, announcing on its website “cyber attackers may have gained unauthorized access to information stored on a limited number of Banner Health computer servers as well as the computer systems that process payment card data at certain Banner Health food and beverage outlets.” The attack was initiated on June 17, 2016, and Banner Health has launched an investigation into the incident.

On August 3, Banner Health announced it was mailing letters to approximately 3.7 million individuals who were potentially affected by the breach. The breach was discovered on July 7, and the investigation has revealed the attack did not affect payment card transactions for medical services. However, the affected information includes patient information, health plan member and beneficiary information, and information about physician and healthcare providers including names, birthdates, addresses, physician names, dates of service, claims information, and possibly health insurance information and social security numbers.

Now, a Glendale, AZ doctor has filed a class-action lawsuit against Banner Health, accusing Banner of negligence in allowing the breach to occur. The lawsuit also argues credit monitoring offered by the healthcare provider was inadequate compensation for those affected by the event, according to AZ Central.

“Banner's negligence affected millions of people,” Rob Carey, the filing attorney, was quoted as saying y Becker's Hospital Review. “It's not enough to offer a skimpy 'fix' — the law requires Banner remedy the serious risks it created for its stakeholders.”

The notification came more than a month after the breach occurred, and the lawsuit represents Banner Health employees and patients who were affected. The lawsuit alleges negligence on Banner's part due to “insufficient” data security policies and failing to prevent the hack.

“Personal and financial information is a valuable commodity,” states the lawsuit. “A ‘cyber black-market’ exists in which criminals openly post stolen credit card numbers, Social Security numbers and other personal information on a number of Internet websites.”

Cyber criminals are patient, sometimes waiting years after a hack for protection services to expire and victims to lower their guard, the lawsuit asserts. It also argued credit monitoring would not prevent access to medical or insurance records.

“The ongoing exposure of confidential consumer and business information through data security breaches fuels a thriving internet black market in which sensitive information is traded, sold and re-sold on a daily basis through online black market websites, secret chatrooms and underground forums,” according to the lawsuit.