On February 2, 2023, the US Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) reached a settlement with Banner Health Affiliated Covered Entities (“Banner Health”) for a 2016 data breach that involved hackers’ unauthorized access to the electronic protected health information (e-PHI) of the Phoenix, Arizona-based health system’s 2.81 million customers. Banner Health has agreed to pay $1.25 million under the terms of the settlement.

This is OCR’s first seven-figure monetary settlement in an alleged HIPAA violation since January 2021 and the agency’s second financial penalty in 2023 addressing alleged HIPAA violations. This decision indicates that OCR is serious about investigating reported data breaches and “looking beneath the hood” to assess what really happened in a given situation. Covered entities and business associates should closely review their security programs and HIPAA compliance in light of this latest OCR settlement.

We have provided a summary of the resolution agreement, along with key security considerations for HIPAA-regulated entities. Please feel free to contact us if you have any additional questions.

Banner Health’s Alleged Violations

The action falls under HHS OCR’s authority to enforce the HIPAA Security Rule (“the Security Rule”). HHS first conducted a compliance review of Banner Health on November 21, 2016 when the health system submitted a breach report. Banner Health had first detected a security breach on July 13, 2016. A subsequent internal investigation revealed that hackers had gained access to Banner Health’s systems on June 17, 2016. The threat actors had gained unauthorized access to electronic protected health information (e-PHI) of 2.81 million patients. The compromised e-PHI included patient names, physician names, dates of birth, addresses, Social Security numbers, clinical details, lab results, medications, and health insurance information.

After being informed of the breach, OCR initiated a review of HIPAA compliance. OCR found that noncompliance had been a contributory factor to the data breach, determining that Banner Health had failed to conduct an accurate and thorough analysis to protect e-PHI and that the health system had not implemented adequate procedures to conduct regular reviews of information system activity as required by HIPAA.

HHS’s investigation found that Banner Health was in violation of several provisions of the Security Rule. The specific provisions that Banner Health was not in compliance with are:

1. The requirement to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all e-PHI held by the health system.
2. The requirement to implement sufficient procedures to regularly review records of information system activity.
3. The requirement to implement procedures to verify that a person or entity seeking access to e-PHI is who they are claiming to be.
4. The requirement to implement technical security measures to guard against unauthorized access to e-PHI being transmitted over an electronic communications network.

Banner Health’s Ongoing Corrective Course of Action

In addition to the monetary settlement, Banner Health pledged to implement a corrective plan that entails a comprehensive security risk assessment and risk management plan to address security risks to e-PHI going forward.

Banner Health is now required to comply with a Corrective Action Plan to address e-PHI security. Under the plan, Banner will be required to conduct a thorough risk analysis on all electronic equipment, data systems, programs and applications controlled, administered, owned, or shared by Banner Health or its affiliates that contain, store, transmit, or receive Banner Health e-PHI. Banner Health will also create a complete inventory of all electronic equipment, data systems, off-site data storage facilities, and applications that contain or store e-PHI.

The health system will further be required to develop an enterprise-wide risk management plan to address and mitigate any security risks and vulnerabilities identified in the risk analysis. This Plan will entail a process and timeline for Banner Health’s implementation, evaluation, and revision of its risk remediation activities. Upon HHS approval, Banner Health will implement new policies and procedures for HIPAA compliance. In addition, Banner has the ongoing obligation to investigate and report to HHS any failure to comply with its new policies and procedures.

Key Considerations for HIPAA-Regulated Entities

In recent decades, the health care industry has experienced significant technological evolution. Health systems now rely significantly on electronic information systems to conduct both administrative and clinical operations. These technologies have helped improve quality of patient care and have resulted in a more efficient medical system overall. Organizations should be aware, however, that these technologies have also increased potential security risks for health care organizations.

Covered entities and business associates should closely monitor their compliance with the Rule. Particularly, companies should keep in mind the following considerations:

1. Implement and monitor a risk analysis process. HIPAA-regulated entities should evaluate the likelihood and impact of potential risks to e-PHI and establish security measures to address those risks. They should also regularly review their records to detect security incidents and track any access to e-PHI. 
2. Establish administrative safeguards. HIPAA requires entities designate a security official responsible for implementing and monitoring security policies and procedures. These organizations should all limit disclosure of e-PHI on a role-based access basis. In addition, all workforce members who handle e-PHI should be trained in security policies and procedures.
3. Implement technical safeguards. Entities should ensure only authorized persons have access to e-PHI. There must also be hardware, software, and procedural mechanisms in place to record and track access in e-PHI systems. In addition, it is critical for covered entities to develop technical measures to guard against access to e-PHI being transmitted over an electronic network.