Banner Health reaches $6 million settlement to resolve lawsuits pertaining to 2016 data breach

• The incident occurred after threat actors used the payment processing system as a gateway to gain access to servers containing patient data.
• The stolen data included a trove of sensitive information belonging to 3.7 million patients.

The Phoenix-based Banner Health has agreed to pay a proposed sum of up to $6 million to settle consolidated class-action lawsuits related to the massive 2016 data breach. As a part of the settlement of the litigation, the healthcare delivery network will be making reimbursement of expenses related to the breach.

What happened?

• In June 2016, the health system disclosed that hackers had breached the payment processing system of their food and beverage outlets.
• The incident was discovered by Banner Health on July 17, 2016, after which an investigation was launched to determine the extent of the attack.
• The investigation revealed that threat actors used the payment system as a gateway to gain access to servers containing patient data.
• The stolen data included a trove of sensitive information belonging to 3.7 million patients.
• This compromised sensitive information included Social Security numbers, dates of services, health insurance information of current & former employees, and Banner health plans.
• Soon after Banner announced the breach, patients filed class-action suits arguing that the cyberattack significantly increased the risk to financial and medical identity theft.
• The lawsuit also alleged that Banner Health had failed to implement appropriate safeguards to protect against cyberattacks such as multi-factor authentication, firewalls, and data encryption.

What does the settlement cover?

Under the terms of the settlement, plaintiffs will able to submit reimbursement claims for expenses incurred as a result of the data breach. Claims will be accepted up to a maximum of $500 per person for standard expenses and up to $10,000 for extraordinary expenses.

Additionally, patients affected by the breach will also be offered an additional 2 years of credit monitoring and identity theft protection services.