[BreachExchange] Banner Health agrees to $6 million settlement over 2016 breach

[Destry Winant]

https://www.modernhealthcare.com/cybersecurity/banner-health-agrees-6-million-settlement-over-2016-breach

Banner Health has agreed to pay up to $6 million to victims of a
massive data breach the Arizona health system experienced in 2016,
according to court documents filed last week.

The plaintiffs in the case filed the motion for preliminary approval
of a settlement to end a proposed class action over the cyberattack in
federal court in Arizona.

Under the deal, nearly 3 million people who Banner notified after a
2016 data breach would be able to request reimbursement claims for
expenses from the incident. Each class member's reimbursement is
capped at $500 for ordinary expenses and $10,000 for extraordinary
expenses. The overall cap that Banner agreed to is $6 million.

Extraordinary expenses could include out-of-pocket costs or time lost
responding to identity theft or fraud, according to the motion.

Banner also agreed to provide people affected by the data breach with
a two-year subscription to credit monitoring and identity protection
services and to take additional steps to improve the health system's
information security systems.

The settlement will provide "substantial monetary and injunctive
relief" to the 2.9 million people who Banner notified after the 2016
data breach, according to the plaintiffs.

Hackers in June 2016 gained unauthorized access to computer servers at
Banner, compromising information on patients, health plan members and
credit card information from customers who had purchased food or
beverages at the health system. It was an unusual hack, affecting two
separate computer systems—one for credit and debit cards used at 27
food service locations at Banner facilities, and another used for
patient and health plan data.

In response, Banner offered those who had data compromised one year of
free credit and identity monitoring services.

But plaintiffs in the case have argued the monitoring services Banner
offered were inadequate.

One plaintiff had fraudulent bank accounts opened and tax returns
filed in her name following the breach, according to the motion.

"The risk of fraud, including financial fraud and medical identity
theft, remains ongoing," the plaintiffs wrote.

A Banner spokeswoman said the health system isn't able to discuss
details of the case, as it is a pending legal matter.

"However, we are hopeful that it will be resolved soon, at which time
those who were impacted can learn additional information," she said.
"In the meantime, data security is one of our highest priorities and
we continue to work diligently to protect the sensitive information of
our patients and employees."