Healthcare Provider Agrees to Cough Up $6M to Settle Data Breach Lawsuit

American healthcare provider Banner Health has agreed to pay the alleged victims of a 2016 data breach $6 million. 

Banner Health operates 28 hospitals and specialized facilities across six states, providing jobs for over 50,000 people. The company, which is the largest single employer in Arizona, suffered a data breach in June 2016.

Threat actors accessed the private health data of 2.9 million individuals over a period of approximately two weeks.

Two months later, the alleged victims of the breach brought a class action lawsuit against the healthcare provider. According to documents filed in the US District Court of Arizona on December 5, 2019, that suit has now been settled with Banner Health agreeing to pay $6 million to the plaintiffs.

The lawsuit alleges that threat actors illegally accessed the computer systems of Banner Heath in a financially motivated hack, exfiltrating sensitive personal information of approximately 2.9 million patients. 

Entry into Banner Health's network was gained via a payment processing system used in the food and beverage outlets of the healthcare provider's hospitals.

Information said to be appropriated during the breach includes names, addresses, dates of birth, prescription information, medical histories and social security numbers. 

It is further alleged that the credit and debit card numbers of 30,000 individuals who had visited food and beverage outlets at Banner Health hospital sites were also stolen. According to the suit, malware was used to steal card details as purchases were made.

The lawsuit alleges Banner Health failed to implement appropriate safeguards to protect against cyber-attacks, such as firewalls, data encryption and multi-factor authentication. Some plaintiffs claimed that as a result of the breach, their identities had been stolen and used to commit fraud. 

Reimbursement claims for expenses accrued as a result of the data breach may be submitted by plaintiffs under the terms of the settlement. Individuals will not be allowed to claim more than $500 for standard expenses or more than $10,000 for extraordinary expenses. 

Banner Health has also offered alleged victims of the breach two years' worth of credit monitoring and identity theft protection. 

A motion for preliminary approval of the $6 million settlement has been filed by the plaintiffs. 

What’s Hot on Infosecurity Magazine?