Banner Health has reached a proposed settlement of $6 million in its data breach lawsuit.
The healthcare provider operates 28 hospitals and provides over 50,000 people jobs, however in June 2016 it suffered a data breach.
Threat actors gained unauthorised access into the computer systems of Banner Health via a payment processing system utilised in the food and beverage outlets located in the hospitals. Subsequently, this allowed threat actors to access the servers containing patient data.
Compromised information included names, addresses, Social Security numbers, dates of birth, patients medical histories, and card payment information from customers who purchased food or beverages.
Threat actors had gained access to the private health information of 2.9 million individuals over a duration of two weeks.
Two months after the breach, the victims filed a class action lawsuit against Banner Health in the US District Court of Arizona on December 5, 2019, alleging that “financially-motivated cyber-criminals entered Banner’s network, rummaged through Banner’s information systems, downloaded and installed hacking software, and copied and exfiltrated massive quantities of personally identifiable information belonging to approximately 2.9 million people.”
It is further alleged that the credit card and debit card numbers for 30,000 food and beverage customers were also stolen, with one plaintiff claiming that she had fraudulent bank accounts opened and tax returns filed in their name as a result of the breach.
“The security incident exposed Banner patients, insureds, providers, and payment card users to a significantly increased risk of suffering devastating and expensive financial and medical identity theft,” the plaintiffs argued.
In addition, the lawsuit alleges that the healthcare provider failed to implement appropriate safeguards to protect such attacks.
Subsequently, Banner Health has agreed to pay up to $6 million to the victims. All of the impacted victims will be able to request reimbursement claims for expenses from the incident. However, victims will not be able to claim more than $500 for standard expenses or over $10,000 for extraordinary expenses.
Banner Health has offered two years’ worth of credit monitoring and identity theft protection to all alleged victims.
The post #Privacy: Banner Health agrees to pay $6m data breach settlement appeared first on PrivSec Report.