Healthcare , HIPAA/HITECH , Industry Specific
2016 Hacking Incident Affected Nearly 3 Million People Marianne Kolbasuk McGee (HealthInfoSec) • February 2, 2023 Banner Ocotillo Medical Center in Chandler, Arizona, is one of 30 hospitals Banner Health operates in six states. (Image: Banner Health)
Federal regulators hit multistate hospital system Banner Health with a $1.25 million HIPAA fine in the wake of a 2016 hacking breach that affected nearly 3 million individuals.
See Also: Panel Discussion | How to Build a Foundation for Operational Resilience in the Financial Industry
The enforcement action against the Phoenix, Arizona-based nonprofit, announced Thursday, is the first seven-figure monetary settlement in a HIPAA breach case by the Department of Health and Human Services’ Office for Civil Rights since January 2021.
Over the last two years, the office has focused more on obtaining settlements against organizations in cases involving alleged violations of patients’ rights to access health records (see: Lab Fined $16K for Long Delay in Providing Patient Records). Expensive settlements against recognized brands such as Banner have been the exception.
“Hackers continue to threaten the privacy and security of patient information held by healthcare organizations, including our nation’s hospitals,” said OCR Director Melanie Fontes Rainer in a statement.
Besides paying the monetary settlement, Banner Health pledged to implement a corrective action plan that includes conducting a thorough security risk assessment and developing and implementing a risk management plan to address security risks to electronic personal health information.