American healthcare provider, Banner Health, has confirmed it will pay $6 million to victims of a 2016 data breach that compromised the cybersecurity procedures put in place by Banner Health.
Banner Health is Arizona’s largest single-employer, operating across 28 hospitals with facilities across six states, employing around 50,000 people. In June of 2016, Banner Health was hit by a cyber breach that saw the private health data of more than 2.9 million Americans become compromised in an attack that spanned two weeks.
Two weeks later, a class-action on behalf of private individuals was launched in the US District Court of Arizona against Banner health, and after quite some time in the courts, documents were filed on the 5th of December to settle the case, with Banner Health agreeing to pay $6 million to the plaintiffs.
The lawsuit filed alleges that “threat actors illegally accessed the computer systems of Banner Health in a financially motivated hack, exfiltrating sensitive personal information of approximately 2.9 million patients,” according to Info Security Magazine.
“Entry into Banner Health’s network was gained via a payment processing system used in the food and beverage outlets of the healthcare provider’s hospitals,” the author states. Victims claim that the third-party was then able to access private details like names, addresses, dates of birth, prescription information, medical histories and social security numbers of the 2.9 million patients on file.
“It is further alleged that the credit and debit card numbers of 30,000 individuals who had visited food and beverage outlets at Banner Health hospital sites were also stolen. According to the suit, malware was used to steal card details as purchases were made,” Info Security Magazine writes.
It is alleged in the court filings that Banner Health failed to implement adequate protections to ensure the integrity of its system, and was lacking firewalls, data encryption and multi-factor authentication to keep private data secure. Some of the plaintiffs added that in the wake of the data breach, their identities had been stolen and used to commit fraud.
“Reimbursement claims for expenses accrued as a result of the data breach may be submitted by plaintiffs under the terms of the settlement. Individuals will not be allowed to claim more than $500 for standard expenses or more than 10,000 for extraordinary expenses,” it is being reported.
Banner Health has also offered alleged victims of the breach two years’ worth of credit monitoring and identity theft protection… a motion for preliminary approval of the $6 million settlement has been filed by the plaintiffs,” according to Info Security Magazine.