Arizona Hospital Pays $1.25 Million in HIPAA Settlement After Cyber Attack

Ada Janocinska
Rivkin Radler LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Rivkin Radler LLP

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced on February 2 that Banner Health, a not-for-profit hospital system based in Arizona, has paid $1.25 million in order to settle alleged HIPAA violations in connection with a cyber attack.

The incident occurred in 2016 when a hacker gained access to Banner Health’s electronic protected health information of almost 3 million patients, including their names, physician names, dates of birth, social security numbers, clinical details, dates of service, insurance and claims information, lab results, diagnoses and medications. After its investigation, OCR concluded that Banner Health potentially violated HIPAA by failing to (i) perform risk assessments of their electronic health system, (ii) adequately monitor their system activities to prevent a cyber attack, (iii) implement an authentication process, and (iv) maintain security measures to protect against unauthorized access when protected health information was transmitted electronically.

In addition to the monetary fines, Banner Health agreed to implement a corrective action plan to resolve the HIPAA violations. The plan requires ongoing monitoring by OCR for two years, completion of a thorough risk analysis of Banner Health’s electronic systems across the organization, implementation of a risk management plan to address any vulnerabilities in the system, and implementation of policies and security measures to better protect electronic health information.

OCR noted that “74% of the breaches reported to OCR in 2021 involved hacking/IT incidents. In the health care sector, hacking is now the greatest threat to the privacy and security of protected health information.” OCR continues to focus its efforts on improving cyber defenses in the healthcare industry and reminds healthcare providers that they must be vigilant in protecting their electronic systems and records by maintaining robust security and privacy policies, performing routine risk assessments, and responding to potential threats and cyber attacks appropriately.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Rivkin Radler LLP | Attorney Advertising

Written by:

Rivkin Radler LLP
Rivkin Radler LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Rivkin Radler LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide