Banner Health Settlement of Breach Lawsuit Costs $6 Million

In June 2016, Banner Health sustained a data breach which resulted in the theft of the protected health information (PHI) of 2.9 million people. Victims of the breach filed a class-action lawsuit in August 2016. Based on documents submitted to the U.S. District Court of Arizona on December 5, 2019, Banner Health has already agreed to settle the lawsuit by paying the breach victims $6 million.

The plaintiffs claimed that the motivation behind the attack was money. Hackers accessed the systems that contain patient data and exfiltrated the PHI of around 2.9 million people. The hackers stole the following types of data: names, addresses, birth dates, Social Security numbers, prescription details, medical records and the credit/debit card numbers of about 30,000 persons. The people who had their credit and debit card details stolen went to the food and drink outlets located in Banner Health hospitals. Because of installing malware, the hackers were able to exfiltrate the card numbers when the victims made purchases. The hackers’ access to the systems of Banner Health continued for about 2 weeks.

The lawsuit claims that Banner Health did not have proper safety measures to defend against cyberattacks, like firewalls, multi-factor authentication, and data encryption.

The plaintiffs contended that the cyberattack had put them at a considerably high risk of dreadful and costly financial and healthcare identity theft. A number of plaintiffs reported they have experienced identity theft and fraud because of the data breach.

As per the settlement terms, plaintiffs need to send reimbursement claims for expenses sustained resulting from the data breach. A person can claim a maximum of $500 for standard expenditures, and a maximum of $10,000 for extraordinary expenditures. Banner Health limited total expenses on claims to $6 million.

Furthermore, persons impacted by the breach received 2 more years of credit monitoring and identity theft protection services. A motion for initial approval of the settlement has been filed by the plaintiffs.

About Christine Garcia 1304 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at