Banner Health pays $1.25M

The Office of Civil Rights (OCR) announced that Banner Health Affiliated Covered Entities (Banner), a nonprofit health system headquartered in Phoenix, Arizona, has settled to resolve a data breach resulting from a 2016 hacking incident. More than 2.8 million patients had their protected health information (PHI) compromised. None of this is new or (unfortunately) shocking. Hackers are going to hack and find vulnerable systems.

What surprises us, aside from this case taking YEARS to settle, is the alleged lack of a security risk analysis, the failure to implement an authentication process, and security measures to protect ePHI in transit; all of these are BASIC security controls. Less surprising is that Banner also allegedly failed to monitor their systems to detect an attack.

So now Banner is paying OCR $1,250,000 and has agreed to implement a corrective action plan. We have worked with a LOT of not-for-profit companies and understand the resource constraints each has to balance alongside their compliance, security and risk programs - assuming that such programs formally exist. Our point here is that OCR did not pull any punches, despite Banner operating as a nonprofit entity. We offer options that any covered entity or business associate should be able to afford - just try us and...

Stay (HIPAA) safe, Alan -