The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced that the Arizona-based nonprofit health system, Banner Health, has agreed to settle a HIPAA Security Rule compliance investigation and will pay a $1.25 million penalty to resolve alleged HIPAA violations.
Banner Health operates hospitals and other healthcare facilities in 6 U.S. states, employs more than 50,000 people, and is one of the 25 largest health systems in the United States. In July 2016, Banner Health identified a security breach affecting the food and beverage outlets in its hospitals. The threat actors behind the attack had access to systems for a month and during that time they potentially accessed the sensitive personal and protected health information of 2.81 million individuals. OCR was notified about the data breach and launched an investigation into HIPAA Security Rule compliance. According to OCR, it discovered evidence of long-term noncompliance with the HIPAA Security Rule across the organization. Those violations were a serious concern given the size of the covered entity.
Since 2008, OCR has fined 130 organizations for noncompliance with the HIPAA Rules. One of the most common violations warranting a financial penalty is the failure to conduct an accurate, comprehensive, organization-wide risk analysis. OCR found that Banner Health had failed to accurately assess risks to the confidentiality, integrity, and availability of protected health information and had not implemented appropriate security measures to protect PHI when it was transmitted electronically.
The HIPAA Security Rule requires HIPAA-covered entities to create and monitor logs of information system activity to protect against cyberattacks, but Banner Health had failed to implement sufficient policies and procedures for monitoring logs and there were insufficient measures in place for verifying the identities of individuals seeking access to PHI to ensure they are who they claim to be.
Banner Health chose to settle the allegations with no admission of wrongdoing and agreed to implement a corrective action plan, which includes conducting an organization-wide risk analysis, managing any identified risks to reduce them to a low and acceptable level, implementing an authentication process, and ensuring information system activity logs are regularly monitored for suspicious activity. Policies and procedures covering all of these areas will also be developed, implemented, and distributed to the workforce, with training provided, as appropriate, on those policies and procedures.
“Hackers continue to threaten the privacy and security of patient information held by health care organizations, including our nation’s hospitals,” said OCR Director Melanie Fontes Rainer. “It is imperative that hospitals and other covered entities and business associates be vigilant in taking robust steps to protect their systems, data, and records, and this begins with understanding their risks, and taking action to prevent, respond to and combat such cyber-attacks. The Office for Civil Rights provides help and support to health care organizations to protect against cyber security threats and comply with their obligations under the HIPAA Security Rule. Cyber security is on all of us, and we must take steps to protect our health care systems from these attacks.”