The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced on February 2 that Banner Health, a not-for-profit hospital system based in Arizona, has paid $1.25 million in order to settle alleged HIPAA violations in connection with a cyber attack.
The incident occurred in 2016 when a hacker gained access to Banner Health’s electronic protected health information of almost 3 million patients, including their names, physician names, dates of birth, social security numbers, clinical details, dates of service, insurance and claims information, lab results, diagnoses and medications. After its investigation, OCR concluded that Banner Health potentially violated HIPAA by failing to (i) perform risk assessments of their electronic health system, (ii) adequately monitor their system activities to prevent a cyber attack, (iii) implement an authentication process, and (iv) maintain security measures to protect against unauthorized access when protected health information was transmitted electronically.
In addition to the monetary fines, Banner Health agreed to implement a corrective action plan to resolve the HIPAA violations. The plan requires ongoing monitoring by OCR for two years, completion of a thorough risk analysis of Banner Health’s electronic systems across the organization, implementation of a risk management plan to address any vulnerabilities in the system, and implementation of policies and security measures to better protect electronic health information.
OCR noted that “74% of the breaches reported to OCR in 2021 involved hacking/IT incidents. In the health care sector, hacking is now the greatest threat to the privacy and security of protected health information.” OCR continues to focus its efforts on improving cyber defenses in the healthcare industry and reminds healthcare providers that they must be vigilant in protecting their electronic systems and records by maintaining robust security and privacy policies, performing routine risk assessments, and responding to potential threats and cyber attacks appropriately.
Sign up to receive Rivkin Rounds at www.RivkinRounds.com.