Ten civil lawsuits, including a class-action suit brought by a physician, have been brought against Banner Health in connection with a large-scale cyber attack that compromised the records of 3.7 million doctors, patients and other customers of the Phoenix-based health-care provider.
The breach is the eighth largest in health care history since federal record-keeping began in 2009.
Banner Health is one of the largest nonprofit healthcare systems in the country, providing services in seven states: Alaska, Arizona, California, Colorado, Nebraska, Nevada and Wyoming. They operate 29 acute-care hospitals, Banner Health Network, Banner – University Medicine, Banner Medical Group, long-term care centers, outpatient surgery centers, family clinics, home care and hospice services, pharmacies and a nursing registry.
The records hack began June 17, affecting patients, members of health insurance plans, doctors, and other healthcare providers, and food and beverage customers. However, the company did not discover the attack until July 7. Investigators suspect hackers likely gained access to the computer systems that process payment card data at food and beverage outlets at some Banner Health locations. It would take another week before Banner administrators learned the full scope of the attack -- that hackers gained access to patient, health plan, and beneficiary information, as well as information about physician and healthcare providers. Banner did not disclose the breach until Aug. 3.
So far 10 civil lawsuits have been filed. One cited a 2014 data breach by Banner in which the health-care company mailed out magazines with address labels that included patients' Social Security numbers.
Banner's hack is the largest breach of a health care provider this year, according to the U.S. Department of Health and Human Services, which lists breaches affecting 500 or more individuals. So far this year, the records of 229 health and dental care providers have been lost, stolen or disclosed, including 14 in Washington D.C., Maryland, and Pennsylvania:
- Einstein Healthcare Network, Pennsylvania, 2,939 people affected.
- Children's National Medical Center, Washington D.C., 4,107 people affected.
- Integrated Health Solutions PC, Pennsylvania, 19,776 people affected.
- Keystone Rural Health Consortia, Inc., Pennsylvania, 800 people affected.
- Washington D.C. VA Medical Center, 1,062 people affected.
- The Ambulatory Surgery Center at St. Mary, Pennsylvania, 13,000 people affected.
- Heart Center of Southern Maryland, LLP, 1,350 people affected.
- Neurology Physicians, LLC, Maryland, 4,831 people affected.
- Center for Minimally Invasive Bariatric and General Surgery, Pennsylvania, 992 people affected.
- Cardiology Associates, Maryland, 907 people affected.
- Bon Secours Health System Inc., Maryland, 651,971 people affected.
- Geisinger Health Plan, Pennsylvania, 2,814 people affected.
- Man Alive, Inc. and Lane Treatment Center, LLC, Maryland, 860 people affected.
- King of Prussia Dental Associates, Pennsylvania, 16,228 people affected.
- KidsPeace, Pennsylvania, 1,456 people affected.
Even though nearly 4 million Banner records were breached, it is minuscule compared to the cyberattack last year against insurer Anthem Blue Cross that potentially exposed the records of nearly 80 million customers and employees.
A data-security expert suggests that sophisticated criminal enterprises are specifically targeting health-care providers and reselling the information for profit. He estimates a record containing a name, address and Social Security number may sell for $1 to $3 on the black market, but detailed medical records with unique patient identifying numbers can sell for up to $100 per record.
If your private medical records or the records of a loved one have been breached, you may be entitled to compensation. Call the offices of trial attorneys Charles Gilman and Briggs Bedigian at 800-529-6162 or contact them online. The firm handles cases in Maryland, Pennsylvania, and Washington, D.C.