- The 2016 Banner Health data breach is reportedly being investigated by OCR, although it is currently not possible to estimate the range of potential fines from the agency, according to consolidated financial statements.
An Ernst & Young year-end financial report on Banner Health and Subsidiaries discussed audits that were conducted on Banner Health statements from the years ending December 31, 2017 and 2016.
Along with discussing various areas such as acquisitions, significant accounting policies, and concentrations of credit risk, EY also reported on the OCR investigation.
“Banner is cooperating with the investigation,” report authors wrote. “The OCR investigation is still active, and the OCR has indicated that the initial Banner responses with respect to its past security assessment activities are inadequate.”
“Although Banner has supplemented its initial responses, Banner anticipates that it may receive negative findings with respect to its information technology security program, and that a fine may be assessed against Banner,” the report continued.
READ MORE: 5 Lessons Learned in OCR HIPAA Settlements
The incident under investigation was initiated on June 17, 2016, and was discovered by Banner in late June 2016. Banner computer systems that process credit card payments in food and beverage outlets at certain Banner locations were accessed through a cyber attack.
Approximately 21,000 credit card numbers may have been accessed in that attack, but Banner servers that contained personal and patient information of nearly 3.7 individuals may have also been impacted.
“Following discovery, Banner implemented actions to remove the malware, remedy the damage to the network, and enhance the security of its network,” the EY report explained. “Banner has also directly notified those individuals which it can identify as potentially having had their personal and patient information improperly accessed, and is offering ongoing monitoring and other steps to protect those who may have been affected by the breach.”
Report authors also noted that Banner has had nine putative class action lawsuits filed against it following the data breach. The cases have been consolidated into a single lawsuit, which the healthcare organization will “vigorously” defend against.
“At this point, the full extent of potential loss incurred in connection with the investigation notification, mitigation and remediation of the attack, and the likelihood and extent of potential liability in the pending lawsuits are not known,” the report said. “The extent of insurance coverage for any potential liability has not yet been settled, although management believes at this time that a substantial portion of the potential exposure from the cyber-attack and ensuring litigation will be covered by its cyber risk insurance program.”
Healthcare data breaches can be particularly damaging to organizations, with both short- and long-term effects. For example, healthcare data breaches cost organizations $380 per record, according to the 2017 Cost of a Data Breach Study: Global Overview from IBM and Ponemon. The global average across industries was $141 per record.
Malicious or criminal attacks were the primary causes of all US data breaches, accounting for 52 percent of incidents. Human error and system glitches each accounted for 24 percent, the report showed.
"Data breaches and the implications associated continue to be an unfortunate reality for today's businesses," Ponemon Institute Chairman and Founder Dr. Larry Ponemon said in a statement. "Year-over-year we see the tremendous cost burden that organizations face following a data breach.”
“Details from the report illustrate factors that impact the cost of a data breach, and as part of an organization's overall security strategy, they should consider these factors as they determine overall security strategy and ongoing investments in technology and services."
Third party error, compliance failure, extensive migration to the cloud, rush to notify, and lost or stolen devices increased data breach costs by more than $10 per compromised record.
Following the actual data breach and initial response, OCR settlements can also be especially expensive for healthcare organizations.
Fresenius Medical Care North America (FMCNA) agreed to a $3.5 million settlement in February 2018, following alleged HIPAA violations from five different incidents.
The separate data breaches took place between February 23, 2012 and July 18, 2012, with several involving a lack of accurate and thorough risk analyses, OCR reported.
In addition to the settlement, FMCNA covered entities must conduct an accurate and thorough risk analysis, develop and implement a risk management plan, implement a process for computing environmental and operational changes, and develop an encryption report.
“The number of breaches, involving a variety of locations and vulnerabilities, highlights why there is no substitute for an enterprise-wide risk analysis for a covered entity,” OCR Director Roger Severino stated. “Covered entities must take a thorough look at their internal policies and procedures to ensure they are protecting their patients’ health information in accordance with the law.”