Not So Sunny News in Arizona –  Major Health Care System Agrees to Pay $1.25 Million HIPAA Settlement for Cybersecurity Hacking Incident from 2016

by | Feb 8, 2023 | Government Enforcement, HIPAA, HIPAA Security, Security & Cybersecurity

  • Major health care system in Arizona agrees to pay $1.25 Million for HIPAA non-compliance with Security Rule.
  • Corrective Plan includes OCR oversight until December 2024! 
  • Cybersecurity incidents remain a high risk for breaches by HIPAA covered entities and their business associates — so, prevent, detect and mitigate!

Subscribe to HERE to Legal HIE’s compliance library to gain access to sample policies, documents and tools to help you stay on top of the newest compliance challenges in 2023! 

On February 2, 2023, OCR announced that Banner, a nonprofit health system headquartered in Phoenix, Arizona, has agreed to pay OCR $1.25 million to settle HIPAA violations which were identified as a result of a cybersecurity breach that affected nearly 3 million individuals back in 2016. This will add to Banner’s “cost tab” for the incident, which includes a previous multi-million-dollar settlement it entered into with affected patients who filed a class action against the health care system in April of 2017. Having a hefty civil monetary penalty tacked on for the same incident is painful. I guess cybersecurity hacking incidents are just “gifts that keep on giving.”  *sigh*

To be honest, this new Settlement Agreement with Banner really does not reveal anything new. In short, after conducting its investigation, OCR concluded that – back in 2016 – Banner fell short on its compliance with the Security Rule’s requirements, including:

      • not completing an “accurate and thorough” risk analysis of the potential risks and vulnerabilities to confidentiality, integrity, and availability of all ePHI;
      • not implementing procedures sufficient to regularly review records of information system activity;

         

      • not implementing procedures to verify that a person or entity seeking access to ePHI is the one claimed; and

         

      • not implementing technical security measures to guard against unauthorized access to ePHI that is being transmitted over an electronic communications network.

In addition to agreeing to pay $1.25 to settle the matter with OCR, Banner has also agreed to a correction plan which will include OCR monitoring the health system’s compliance with HIPAA for two (2) years. This means that, since the Settlement Agreement is dated effective December 21, 2022, OCR will be looking over Banner’s compliance shoulder until December 21, 2024.

If this new OCR Settlement Agreement reminds us of anything important, it’s that cybersecurity incidents create massive headaches and risk for an organization that can drag on for years … and years …. and years. Just think about it, this security incident took place in June 2016, yet Banner will not be fully out from under a corrective action plan with OCR until December 2024 – that’s over 8 years later.  

Of course, the best chance of covered entities and business associates being able to avoid a similar situation is to get effective security measures in place to prevent, detect and mitigate security incidents before they compromise any data. For a refresher on OCR’s October 2022 Cybersecurity Newsletter laying out helpful steps for implementing HIPAA Security Incident Procedures, see our previous post on this topic.

 

Subscribe HERE to Legal HIE’s compliance library to gain access to sample policies, documents and tools for compliance with the Information Blocking Rule. Review our Table of Contents here

Share this:

If you are not a subscriber to our backend Legal HIE compliance library, download our Table of Contents here to check out all of the tools, checklists, whitepapers, sample policies we make available to our members to help their organizations comply with Information Blocking, HIPAA, 42 CFR Part 2, Data Breaches and more. Ready to subscribe now? Click here to review our subscription options.

Archives