HHS Workplace for Civil Rights Settles HIPAA Investigation with Arizona Hospital System Following Cybersecurity Hacking

Banner Well being pays $1.25 million to settle cybersecurity breach that affected almost 3 million individuals

Immediately, the U.S. Division of Well being and Human Companies’ Workplace for Civil Rights (OCR) introduced a settlement with Banner Well being Affiliated Coated Entities (“Banner Well being”), a nonprofit well being system headquartered in Phoenix, Arizona, to resolve an information breach ensuing from a hacking incident by a menace actor in 2016 which disclosed the protected well being data of two.81 million customers.  The settlement is concerning the Well being Insurance coverage Portability and Accountability Act (HIPAA) Safety Rule which works to assist defend well being data and knowledge from cybersecurity assaults.  The potential violations particularly embrace: the dearth of an evaluation to find out dangers and vulnerabilities to digital protected well being data throughout the group, inadequate monitoring of its well being data techniques’ exercise to guard in opposition to a cyber-attack, failure to implement an authentication course of to safeguard its digital protected well being data, and failure to have safety measures in place to guard digital protected well being data from unauthorized entry when it was being transmitted electronically.  Consequently, Banner Well being paid $1,250,000 to OCR and agreed to implement a corrective motion plan, which identifies steps Banner Well being will take to resolve these potential violations of the HIPAA Safety Rule and defend the safety of digital affected person well being data. 

“Hackers proceed to threaten the privateness and safety of affected person data held by well being care organizations, together with our nation’s hospitals,” mentioned OCR Director Melanie Fontes Rainer. “It’s crucial that hospitals and different coated entities and enterprise associates be vigilant in taking sturdy steps to guard their techniques, knowledge, and information, and this begins with understanding their dangers, and taking motion to forestall, reply to and fight such cyber-attacks. The Workplace for Civil Rights gives assist and assist to well being care organizations to guard in opposition to cyber safety threats and adjust to their obligations underneath the HIPAA Safety Rule. Cyber safety is on all of us, and we should take steps to guard our well being care techniques from these assaults.”

In November 2016, OCR initiated an investigation of Banner Well being following the receipt of a breach report stating {that a} menace actor had gained unauthorized entry to digital protected well being data, doubtlessly affecting hundreds of thousands.  The hacker accessed protected well being data that included affected person names, doctor names, dates of beginning, addresses, Social Safety numbers, scientific particulars, dates of service, claims data, lab outcomes, medicines, diagnoses and situations, and medical health insurance data.

Banner Well being is without doubt one of the largest non-profit well being techniques within the nation, with over 50,000 staff and working in six states. Banner Well being is the biggest employer in Arizona, and one of many largest in northern Colorado. OCR’s investigation discovered proof of long run, pervasive noncompliance with the HIPAA Safety Rule throughout Banner Well being’s group, a severe concern given the dimensions of this coated entity. Organizations should be proactive of their efforts to repeatedly monitor system exercise for hacking incidents and have measures in place to sufficiently safeguard affected person data from threat throughout their whole community.

Along with the financial settlement, Banner Well being will undertake steps underneath a complete corrective motion plan that will probably be monitored for 2 years by OCR to make sure compliance with the HIPAA Safety Rule. Banner has agreed to take the next steps:

• Conduct an correct and thorough threat evaluation to find out dangers and vulnerabilities to digital affected person/system knowledge throughout the group
• Develop and implement a threat administration plan to handle recognized dangers and vulnerabilities to the confidentiality, integrity, and availability of ePHI
• Develop, implement, and distribute insurance policies and procedures for a threat evaluation and threat administration plan, the common overview of exercise inside their data techniques, an authentication course of to supply safeguards to knowledge and information, and safety measures to guard digital protected well being data from unauthorized entry when it’s being transmitted electronically, and
• Report back to HHS inside thirty (30) days when workforce members fail to adjust to the HIPAA Safety Rule.

The decision settlement and corrective motion plan could also be discovered at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/banner-health-ra-cap/index.html

Cybersecurity incidents and knowledge breaches proceed to extend throughout all industries. Seventy-four p.c (74%) of the breaches reported to OCR in 2021 concerned hacking/IT incidents. Within the well being care sector, hacking is now the best menace to the privateness and safety of protected well being data. The Biden-Harris Administration has introduced a relentless focus to bettering the USA’ cyber defenses, constructing a complete strategy to “lock our digital doorways” and taking aggressive motion to strengthen and safeguard our nation’s cybersecurity. OCR helps this name to motion by providing an array of sources to assist well being care organizations bolster their cybersecurity posture and adjust to the HIPAA Guidelines, obtainable at: https://www.hhs.gov/hipaa/for-professionals/safety/steering/index.html

OCR is dedicated to implementing the HIPAA Guidelines that defend the privateness and safety of peoples’ well being data. In the event you consider that your or one other particular person’s well being data privateness or civil rights have been violated, you possibly can file a grievance with OCR at https://www.hhs.gov/ocr/complaints/index.html.