HHS Office for Civil Rights Settles HIPAA Investigation with Arizona Hospital System Following Cybersecurity Hacking

HHS Office for Civil Rights Settles HIPAA Investigation with Arizona Hospital System Following Cybersecurity Hacking

Banner Health pays $1.25 million to settle cybersecurity breach that afflicted practically 3 million persons

Today, the U.S. Division of Health and Human Services’ Business office for Civil Rights (OCR) announced a settlement with Banner Health Affiliated Coated Entities (“Banner Health”), a nonprofit well being method headquartered in Phoenix, Arizona, to solve a knowledge breach ensuing from a hacking incident by a menace actor in 2016 which disclosed the protected well being details of 2.81 million customers.  The settlement is with regards to the Wellness Insurance coverage Portability and Accountability Act (HIPAA) Safety Rule which will work to enable protect wellness details and details from cybersecurity attacks.  The probable violations exclusively include things like: the deficiency of an evaluation to decide challenges and vulnerabilities to digital safeguarded overall health info throughout the corporation, insufficient checking of its wellbeing data systems’ activity to protect towards a cyber-attack, failure to carry out an authentication process to safeguard its electronic guarded overall health info, and failure to have stability actions in spot to shield digital guarded health and fitness details from unauthorized accessibility when it was currently being transmitted electronically.  As a final result, Banner Health compensated $1,250,000 to OCR and agreed to apply a corrective motion plan, which identifies ways Banner Well being will acquire to resolve these potential violations of the HIPAA Stability Rule and secure the security of electronic client well being information. 

“Hackers continue on to threaten the privateness and stability of patient facts held by well being treatment businesses, which include our nation’s hospitals,” stated OCR Director Melanie Fontes Rainer. “It is imperative that hospitals and other covered entities and company associates be vigilant in getting robust actions to secure their programs, facts, and records, and this starts with comprehending their challenges, and taking motion to reduce, reply to and beat these kinds of cyber-attacks. The Workplace for Civil Rights presents aid and assist to overall health care corporations to guard against cyber safety threats and comply with their obligations under the HIPAA Protection Rule. Cyber protection is on all of us, and we should get measures to shield our overall health treatment methods from these assaults.”

In November 2016, OCR initiated an investigation of Banner Overall health following the receipt of a breach report stating that a menace actor had gained unauthorized entry to digital guarded health and fitness facts, perhaps impacting tens of millions.  The hacker accessed protected health and fitness details that provided affected individual names, physician names, dates of start, addresses, Social Safety quantities, medical particulars, dates of assistance, promises information and facts, lab outcomes, medicines, diagnoses and problems, and wellbeing coverage info.

Banner Health and fitness is a single of the largest non-income health and fitness systems in the country, with over 50,000 workers and working in six states. Banner Overall health is the largest employer in Arizona, and a person of the biggest in northern Colorado. OCR’s investigation found proof of lengthy time period, pervasive noncompliance with the HIPAA Security Rule across Banner Health’s organization, a really serious worry presented the measurement of this covered entity. Corporations need to be proactive in their attempts to frequently check system activity for hacking incidents and have steps in position to adequately safeguard affected individual details from hazard throughout their overall community.

In addition to the financial settlement, Banner Health and fitness will undertake actions underneath a thorough corrective motion prepare that will be monitored for two several years by OCR to guarantee compliance with the HIPAA Protection Rule. Banner has agreed to get the following measures:

  • Perform an correct and comprehensive possibility examination to establish pitfalls and vulnerabilities to digital affected individual/process details throughout the group
  • Build and put into practice a threat management system to tackle discovered dangers and vulnerabilities to the confidentiality, integrity, and availability of ePHI
  • Create, carry out, and distribute procedures and strategies for a risk analysis and possibility administration strategy, the typical overview of action within their data units, an authentication process to supply safeguards to information and data, and safety actions to protect electronic safeguarded wellness data from unauthorized entry when it is remaining transmitted electronically, and
  • Report to HHS in thirty (30) times when workforce associates fall short to comply with the HIPAA Protection Rule.

The resolution agreement and corrective action prepare may possibly be uncovered at: https://www.hhs.gov/hipaa/for-pros/compliance-enforcement/agreements/banner-wellness-ra-cap/index.html

Cybersecurity incidents and information breaches carry on to raise throughout all industries. Seventy-4 {35112b74ca1a6bc4decb6697edde3f9edcc1b44915f2ccb9995df8df6b4364bc} (74{35112b74ca1a6bc4decb6697edde3f9edcc1b44915f2ccb9995df8df6b4364bc}) of the breaches described to OCR in 2021 included hacking/IT incidents. In the wellbeing care sector, hacking is now the biggest danger to the privateness and protection of guarded health info. The Biden-Harris Administration has brought a relentless aim to strengthening the United States’ cyber defenses, setting up a detailed method to “lock our digital doors” and getting aggressive motion to bolster and safeguard our nation’s cybersecurity. OCR supports this get in touch with to action by offering an array of means to assist wellbeing care organizations bolster their cybersecurity posture and comply with the HIPAA Rules, offered at: https://www.hhs.gov/hipaa/for-professionals/security/advice/index.html

OCR is fully commited to imposing the HIPAA Rules that shield the privateness and security of peoples’ well being details. If you imagine that your or yet another person’s well being details privacy or civil rights have been violated, you can file a complaint with OCR at https://www.hhs.gov/ocr/complaints/index.html.