These trends are extremely worrisome. It’s not that we can prevent hackers from what they do. We can’t.
It’s the fact that healthcare data gatekeepers are unwilling to do anything for patients.
- This breach, which affected 3.7 million individuals, led to a $1.25 million fine from the U.S. Department of Health and Human Services, Office for Civil Rights (HHS OCR).
- The hack also triggered a multi-million-dollar civil settlement in a class action lawsuit.
Federal regulators hit multi-state hospital system Banner Health with a $1.25 million HIPAA fine in the wake of a 2016 hacking breach that affected nearly 3 million individuals.
See Also: Cloud Security in Healthcare: Shifting from Reactive to Proactive Strategies
The enforcement action against the Phoenix, Arizona-based nonprofit, announced Thursday, is the first seven-figure monetary settlement in a HIPAA breach case by the Department of Health and Human Services' Office for Civil Rights since January 2021.
Over the last two years, the office has focused more on obtaining settlements against organizations in cases involving alleged violations of patients' rights to access health records (see: Lab Fined $16K for Long Delay in Providing Patient Records). Expensive settlements against recognized brands such as Banner have been the exception.
"Hackers continue to threaten the privacy and security of patient information held by healthcare organizations, including our nation's hospitals," said OCR Director Melanie Fontes Rainer in a statement.
Besides paying the monetary settlement, Banner Health pledged to implement a corrective action plan that includes conducting a thorough security risk assessment and developing and implementing a risk management plan to address security risks to electronic personal health information.
Breach Details
HHS OCR initiated an investigation in November 2016 after Banner reported that a threat actor had gained unauthorized access to its systems in a hack potentially affecting millions of individuals.
The PHI of about 2.81 million individuals was compromised in the incident, including patient names, physician names, birthdates, addresses, Social Security numbers, clinical details, dates of service, claims information, lab results, medications, diagnoses and conditions, and health insurance information, HHS OCR says.
Banner Health in a 2016 statement said the breach started when attackers gained unauthorized access to payment card processing systems at some of the organization's food and beverage outlets, apparently opening the door to the attackers accessing a variety of healthcare-related information (see: Banner Health Breach Affects 3.7 Million).
The hack of the card processing systems exposed cardholders' names, card numbers, expiration dates and verification codes as the data was being routed through the affected systems.
In addition to that payment information, Banner Health said in its 2016 statement that cyberattackers may have gained unauthorized access to patient information. Banner Health initially reported the incident as affecting 3.7 million individuals.
Banner Health's settlement with HHS OCR also follows a 2020 multimillion-dollar civil settlement in a proposed class action lawsuit (see: Banner Health Breach Lawsuit Settled).
Banner Health, which operates 30 hospitals in six states, did not immediately respond to Information Security Media Group's request for comment.
Change Healthcare hasn’t been the first hacking attempt on an American healthcare system, and unfortunately, it won’t be the last.
At this point, we should all be at peace with the fact that somewhere across the U.S. healthcare system, our patient data has been compromised, either by hackers or through tech companies selling your data to third parties.
Flywire Deepens Collaboration With Ellucian to Deploy Software and Payment Solutions to Banner through Integrations via Ellucian Ethos
UnitedHealth’s Worst Day Since the 1998 Russian Crisis
And this time, they can’t pin it on Luigi Mangione or "macroeconomic factors." This disaster is 100% self-inflicted.
Today was a truly historic day for UnitedHealth (UNH). But not in a good way. With a 22.4% stock price loss, it was the fourth worst trading day in the company’s history, the worst since August 1998 during the Russian ruble crisis, and the first ever self-inflicted one.
All the others were macro events. This? Pure, unfiltered incompetence.
How much of a monopoly do you have to be for a little Trump’s Medicare inflation—not even the multiple fraud cases—to crash a $500B corporation like UnitedHealth?
You have to be Sir Andrew Witty-level bad. That is, clueless and totally unprepared for a shifting market environment.
And yes, there have been multiple fraud cases against UnitedHealth. Just the most recent ones:
No comments:
Post a Comment