Court Grants Final Approval of $8.9 Million Banner Health Class Action Lawsuit Settlement
A federal court recently granted final approval for an $8.9 million settlement of a class action lawsuit against Banner Health stemming from a 2016 data breach. The settlement spells out steps the Phoenix-based organization must take to improve information security.
A preliminary settlement in the case, which consolidated 11 class action lawsuits, was reached in December.
The final settlement clarifies that the healthcare delivery network, which includes 28 hospitals and other healthcare facilities in six states, has agreed to pay up to $6 million to individuals affected by the breach for reimbursement of certain expenses, plus $2.9 million for plaintiffs’ attorneys fees.
Due to duplication of some individuals initially identified by Banner Health as victims in the incident, the settlement covers 2.9 million class members, rather than the more than 3.6 million individuals listed as affected in the organization’s breach report filed with the Department of Health and Human Services in 2016.
Under the settlement, class members can receive:
- An “ordinary” cash payment for up to three hours of undocumented lost time in connection with the security Incident and/or additional documented expenses or monetary loss up to $500;
- Cash reimbursement for up to 15 additional hours of documented lost time in connection with the security Incident and/or additional documented expenses or monetary loss, up to $10,000;
- Two additional years of credit and identity monitoring, which includes $1 million in identity theft coverage.
Banner Health offered affected individuals one-year of credit monitoring after discovering the breach in 2016.
The amount that Banner Health has agreed to spend in improving its security practices is redacted in court documents, but the steps the organization has agreed to take, or has already taken, include:
- Hiring a CISO to lead information security programs improvements;
- Adding 58 full-time employees for its information security department, including a 13-person leadership team and three full time employees dedicated to information security audit and assessment support;
- Hiring a professional services firm to objectively evaluate its information security program to determine the maturity of its security function capabilities and recommend a three-year roadmap for “significant investment and improvement” and implementation of enhanced security processes.
A separate court document that outlines the other steps that Banner Health has agreed to take to improve its information security program is sealed.
In a statement provided to Information Security Media Group, Banner Health says: “In June and July of 2016, Banner Health’s computer servers were compromised in a cyberattack. Since that time, Banner notified impacted parties, conducted a full investigation and implemented a variety of safeguards to reduce the likelihood of a similar incident occurring again.”
Banner Health did not immediately respond to ISMG’s request for additional details regarding the measures the organization is taking to improve its information security program. It also did not respond to ISMG’s inquiry regarding the total number of information security employees it has and other details about its security leadership team.
An attorney representing plaintiffs in the class action lawsuit did not immediately respond to an ISMG request for comment on the settlement.
Payment System Hacked
Banner Health said in 2016 that the data breach started when attackers gained unauthorized access to payment card processing systems at some of the organization’s food and beverage outlets, apparently opening the door to the attackers accessing a variety of healthcare-related information.
The hack of the card processing systems exposed cardholders’ names, card numbers, expiration dates and verification codes as the data was being routed through the affected systems.
In addition to that information, Banner Health said in its statement that cyberattackers may have gained unauthorized access to patient information, health plan member and beneficiary information, as well as information about physicians and healthcare providers. Data exposed could include patient names, birthdates and addresses as well as clinical details, such as physicians’ names, dates of service, claims information and possibly health insurance information and Social Security numbers, Banner Health said.
Class Action Trends
The Banner Health settlement “confirms the ominous growth of class actions based on the breach of patient information,” says independent health data privacy and security attorney Paul Hales, who was not involved in the Banner Health lawsuit.
“The settlement documents show that while money recovered by plaintiffs is still relatively small, attorneys for the defendant and the plaintiffs earned significant fees, and Banner’s costs in both money and reputation were substantial.”
The Banner Health settlement’s requirements security improvements are part of a recent trend in data breach class action lawsuits.
For instance, under a $74 million settlement in 2019 of a lawsuit against Premera Blue Cross after a 2014 data breach affecting 11 million individuals, the health insurer was required to spend $42 million – $14 million annually over three years – on enhanced data security measures.
Those include taking action to encrypt sensitive data, such as member names and Social Security numbers, implement and maintain two-factor authentication for remote access and conducting an annual IT security audit.
Keep Guard Up
Although federal regulators have relaxed enforcement of certain HIPAA provisions as a result of the COVID-19 crisis, “the HIPAA rules remain in effect and are the professional standard of care for health information privacy and security,” Hales notes.
“I worry that providers, encouraged by government waivers, may inadvertently violate patient privacy and generate a dramatic increase in class action lawsuits as they fight to save patient lives.”