A judge has approved the deal settling all claims related to Banner Health’s 2016 data breach, which includes stipulations for how the hospital operator must improve its information security.
In June 2016, Banner Health disclosed that a breach of its food and beverage outlets’ payment processing system had exposed personal information and payment card details of 30,000 food and beverage outlet customers. Just a month later, the health system disclosed that the breach was more extensive than originally thought, as the attackers had winnowed further into the network and gained access to healthcare systems, exposing sensitive personal and healthcare information for patients, beneficiaries, members, and providers. Exposed information included names, addresses, Social Security numbers, birthdates, medical and pharmaceutical history, and claims data.
All in all, about 2.9 million individuals were affected by the breach.
"Financially-motivated cyber-criminals entered Banner’s network, rummaged through Banner’s information systems, downloaded and installed hacking software, and copied and exfiltrated massive quantities of personally identifiable information belonging to approximately 2.9 million people," the plaintiffs said in court documents.
First proposed in December, the $8.9 million settlement was approved by Judge Susan Bolton of the United States District Court of the District of Arizona. The final settlement includes both monetary payments and specific steps the health system needs to take to improve its information security program.
“Banner has agreed to implement extensive information security improvements, including a robust set of Future Business Practice Commitments,” the court documents said. The plaintiffs in the lawsuit had alleged that the health system failed “to take adequate precautions” such as multifactor authentication, firewalls or encryption.
Data breach settlements are increasingly including security actions organizations have to take to improve. The $74 million settlement for Premera Blue Cross for its 2014 data breach required the health insurer to spend $42 million—or $14 million annually over three years—on data security measures such as encrypting sensitive information, implementing two-factor authentication and conducting IT security audits annually. The court documents said Banner has already made some improvements to its information security program since the breach, but didn’t specify what had been done.
While Banner Health had hired former Sharp Healthcare CISO Bryan Kissinger to be CISO about a year after the breach, the position has been vacant since his departure last September. Kissinger had spoken previously about Banner’s efforts to improve identity access management and behavioral monitoring to detect malicious activity.
The actual list of security improvements were redacted from the court documents posted on the Banner Health settlement site, but the Information Security Media Group reported that stipulations included adding “58 full-time employees for its information security department, including a 13-person leadership team and three full time employees dedicate to information security audit and assessment support.” Another was to hire a professional services firm “to objectively evaluate its information security program to determine the maturity of its security function capabilities and recommend a three-year roadmap for ‘significant investment and improvement’ and implementation of enhanced security processes.”
Back in 2018, it was reported Banner Health was under investigation by the United States Health and Human Services’ Office for Civil Rights, which enforces the Health Insurance Portability and Accountability Act, in relation to the data breach. Early reports indicated the initial responses around Banner’s security program were “inadequate.” At the time, Banner Health anticipated the investigation would result in “negative findings with respect to its information technology security program,” the report said.
Under the settlement, Banner Health will provide victims with two additional years of credit and identity protection monitoring services from Identity Guard Total, powered by IBM Watson. The operator offered one-year credit monitoring (as is now customary after a data breach) when the breach was originally publicized. Victims who accepted the earlier offer—or paid for their own—are still eligible for the new service.
The fact that the final settlement includes another subscription to a credit and identity protection service acknowledges the fact that some types of data never expire. Once stolen, the victim remains at risk for fraud or identity theft. Credit card numbers can be changed, but Social Security numbers and birthdates cannot. The service includes monitoring the Dark Web for signs their data is being sold, as well as court and tax documents in case their identity is being used fraudulently.
Breach victims will be able to request reimbursement claims for expenses incurred due to the breach, with a cap of $500 for typical expenses and $10,000 for extraordinary expenses, such as out-of-pocket costs and time lost over identity theft and fraud. The remaining $2.9 million will go to plaintiffs’ attorneys.