U.S. Department of Health and Human Services Hits ‘Banner Health’ with $1.25 Million Fine

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) reached a $1.25 million settlement with the nonprofit health system ‘Banner Health’ following a data breach in 2016.

Not all companies or organizations that suffer a data breach are fined. But a small number of enterprises get penalized for not ensuring the private data they’re supposed to protect and for not taking the necessary precautions to prevent data breach incidents.

Since Banner Health is a nonprofit health system, the company violated the Health Insurance Portability and Accountability Act (HIPAA), which also covers information and data from cybersecurity attacks.

According to settlement details released by OCR, Banner Health failed to provide the necessary protections on several fronts.

“The potential violations specifically include: the lack of an analysis to determine risks and vulnerabilities to electronic protected health information across the organization, insufficient monitoring of its health information systems’ activity to protect against a cyber-attack, failure to implement an authentication process to safeguard its electronic protected health information, and failure to have security measures in place to protect electronic protected health information from unauthorized access when it was being transmitted electronically,” reads the OCR press release.

Following a data breach in November 2016, attackers stole protected health information including patient names, physician names, dates of birth, addresses, Social Security numbers, clinical details, dates of service, claims information, lab results, medications, diagnoses and conditions, and health insurance information.

The $1.25 million settlement is not the only outcome of the case. Banner Health must perform a risk audit and determine if other vulnerabilities exist, fix any security issues the audit might find, and develop, implement, and distribute policies to prevent future intrusions.

Also, the Department of Health and Human Services must be informed when workforce members fail to comply with the HIPAA act.