[BreachExchange] Glendale doctor sues Banner Health over data breach

Mon Aug 8 18:40:21 EDT 2016

http://www.azcentral.com/story/money/business/health/
2016/08/06/glendale-doctor-sues-banner-health-data-breach/88348296/

A Glendale doctor has filed a class-action lawsuit against Banner Health
after a cyberattack compromised the personal information of about 3.7
million patients, employees, cafeteria customers and others.

Phoenix-based law firm Hagens Berman Sobol Shapiro filed the lawsuit in
Maricopa County Superior Court on behalf of Dr. Howard Chen, who works at
 Banner Thunderbird Hospital in Glendale, according to a statement from the
firm.

Banner discovered in late June that their database had been hacked. The
suit seeks compensation for identity protection and credit monitoring.

Chen’s lawyers accused Banner of negligence in allowing the breach to occur
and argued the one year of credit monitoring already offered by the state's
largest health-care provider was inadequate.

“Banner’s negligence affected millions of people,” said attorney Rob Carey
in a statement. “It’s not enough to offer a skimpy 'fix' — the law requires
Banner remedy the serious risks it created for its stakeholders.”

Banner officials said it has blocked the hackers. A spokeswoman on Saturday
declined to comment on the lawsuit, saying the company does not comment on
legal matters.

The breach

Banner Health employees were notified Wednesday that their data was
compromised, according to the lawsuit. The notification came more than a
month after the breach occurred.

According to the lawsuit, Banner’s information technology staff first
detected unlawful activity on June 29. Hackers were able to access payment
card data from hospital cafeterias at multiple Banner locations in Alaska,
Colorado, Wyoming and Arizona. On July 13, Banner found hackers also had
gained access to patient health-insurance records containing names, birth
dates, social-security numbers, addresses, doctor names, dates of service,
claims and insurance information, according to the lawsuit.

Banner sent out an email Aug. 3 that read, “It is possible that information
from approximately 3.7 million individuals may be affected by this
incident.” In the email, Banner offered all of those affected one free year
of credit monitoring through Kroll, a credit-monitoring firm.

The allegations

Currently on staff at Banner Thunderbird Hospital, Chen also worked at the
Banner Arizona Medical Center from 2010 to 2013. He utilized the insurance
Banner provided during his employment and worries his data is at risk,
according to the lawsuit.

The lawsuit alleges negligence on Banner's part due to “insufficient” data
security policies and failing to prevent the hack.

“Personal and financial information is a valuable commodity,” states the
lawsuit. “A ‘cyber black-market’ exists in which criminals openly post
stolen credit card numbers, Social Security numbers and other personal
information on a number of Internet websites.”

Cyber criminals sometimes wait years after a hack, the lawsuit said,
waiting for protection services to run out and victims to lower their
guard. The lawsuit also argued credit monitoring would not prevent access
to medical or insurance records.

‘A thriving internet black market’

In the lawsuit, Chen’s lawyers detailed the danger of identity theft and
cybercrime.

Citing the Identity Theft Protection Association, the lawsuit states that
client information could have already been bought and sold numerous times
since the breach and that Banner’s policies were inadequate to stop the
hackers.

“The ongoing exposure of confidential consumer and business information
through data security breaches fuels a thriving internet black market in
which sensitive information is traded, sold and re-sold on a daily basis
through online black market websites, secret chatrooms and underground
forums,” according to the lawsuit.

Banner officials said the health-care provider has now blocked the
attackers and is "working to enhance the security of its systems in order
to help prevent this from happening in the future."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160808/aad60a6e/attachment.html>