A Federal judge gave the final approval of the proposed settlement by Banner Health for a class-action lawsuit filed over its 3.7 million-record data breach last 2016.
The proposed settlement having an amount of $8.9 million in December 2019 would cover the claims of breach victims and legal charges. Banner Health likewise agreed to spend money for the improvement of its cybersecurity defenses to avoid the occurrence of other data breaches later on.
Hackers attacked the health system based in Arizona through its payment processing system employed in the food and beverage stores in the hospitals. The payment processing system connected to hospital servers that also store the protected health information (PHI) of patients. The hackers got access to the server and stole a big number of highly sensitive patient information, which include demographic data, Social Security numbers, medical insurance data, and claims information from present and past patients of Banner Health. The debit and credit card numbers of about 30,000 customers were also stored in the food and beverage system. This is the largest data breach reported by a healthcare provider in 2016 and is still listed in the top 10 healthcare data breaches ever.
The class-action lawsuit alleged that cybercriminals with financial motives accessed Banner’s network, searched through Banner’s data systems, downloaded and set up hacking software program, and duplicated and exfiltrated substantial amounts of personally identifiable information.
The lawsuit claimed that since around 2012, Banner’s data security procedures were objectively not reasonable and lacking-specifically with regard to healthcare, insurance and payment card industry benchmarks, appropriate legal standards, and the identified and increasing threat to medical care and insurance firms from cybercriminals.
As per the conditions of the settlement, a $6 million fund was set up to handle financial and injunctive relief for all persons impacted by the breach and $2.9 million will be payment for lawyers’ fees. Breach victims could claim as much as $500 in ordinary expenses, which include up to 3 hours of unrecorded time associated with the data breach and extra for documented costs. About $10,000 in extraordinary costs could be claimed, which include as much as 15 hours of documented lost time handling identity theft and fraudulence and other financial losses. Banner Health will likewise take care of the two years’ cost of credit monitoring services along with those already given and an identity theft insurance policy worth $1 million.
Senior director of marketing and public relations at Banner Health, Becky Armendariz, said that the firm is happy to settle this issue and will keep on working vigilantly in the best interests of patients, doctors and employee.