PHOENIX — Banner Health’s admission this summer that a large-scale cyberattack may have compromised the records of 3.7 million people has been followed by a flurry of civil lawsuits from a doctor and patients who allege harm from the data breach.
Plaintiffs have filed 10 civil lawsuits in Maricopa County Superior Court or U.S. District Court in Phoenix naming Banner Health as a defendant since the Phoenix-based health system disclosed the data breach Aug. 3.
The lawsuits blame Banner Health for everything from failing to protect personal information to fraudulent credit-card accounts created in patients’ names since the data breach. One lawsuit referred to Banner Health’s previous data breach in 2014, when it mailed magazines with address labels that included patients’ Social Security numbers.
Banner Health has not publicly discussed the data breach since it notified patients, food-service customers, medical providers, health-plan members and others that may have been affected by the data breach. The lawsuits have been too recent to allow Banner Health a chance to answer them under the case schedules established in U.S. District Court. Most individual lawsuits have been consolidated into a single case before U.S. District Judge Susan Bolton.
In addition to disclosing the data breach to media outlets and regulatory agencies, Banner Health has mailed notices to people who may have been affected by the data breach and offered one year of free credit- and fraud-monitoring services through a vendor, Kroll.
“We have completed our notification process to affected individuals who have been sent letters regarding the cyberattack on Banner Health and free supportive services we are providing,” said Bill Byron, Banner Health’s vice president of public relations. “With respect to the lawsuits, we will not comment on pending litigation matters.”
Health-care industry target of cyberattacks
The Banner Health cyberattack is the largest data breach of a U.S. health provider reported so far this year, according to a list maintained by the U.S. Department of Health and Human Services’ Office of Civil Rights.
Less than two weeks after Banner Health disclosed its data breach, another metro Phoenix health provider, Valley Anesthesiology and Pain Consultants, disclosed a data hack that compromised the records of up to 882,590 individuals.
Valley Anesthesiology learned that a “third party” may have gained access to the health provider’s computer system. When Valley Anesthesiology learned about the data hack, it hired a forensics company to investigate the breach and contacted law enforcement.
Although two major metro Phoenix health providers were hacked this year, there were five data breaches last year that potentially affected more people than Banner Health’s cyberattack. The largest: A data breach of insurer Anthem Blue Cross that potentially exposed records of nearly 80 million customers and employees.
Cyber-security experts and lawyers who specialize in data-breach cases say the health-care industry overall has been slow to respond to the threat. Hackers see hospital and health-care records as an easy target that can retrieve a lucrative return when sold on the dark web.
“I really think that health-care institutions are behind,” said Paul Stoller, an attorney with the Phoenix law firm Gallagher and Kennedy. “They haven’t recognized the target that is on their back and responded accordingly.”
Banner first learned the hackers had accessed the hospital system’s point-of-sale system for food service locations.
Flurry of lawsuits
Stoller’s law firm represents Douglas Bell, a Maricopa County resident whose lawsuit claims that Banner Health failed to safeguard patients’ and health plan members information because hackers were allowed to access that information by first accessing the point-of-sale system.
“Unbelievably for this day and age, Banner failed to separate and segregate its systems and servers containing the (personal identifying information) and (personal health information) of patients, health care plan members, and providers from its POS systems,” the lawsuit stated
In another civil lawsuit, Waddell residents Tracy and Joseph Weedman alleged that the data breach affected the security of their personal information.
After Banner Health disclosed the data breach, the lawsuit stated, the financial services company Capital One informed Joseph Weedman that a credit card was opened in his name by an unauthorized person.
He also learned that an unauthorized person used his personal information to fill out an online application for an American Express credit card, according to the lawsuit.
Sun City West resident Mark Fairall didn’t think much of the form letter he received from Banner Health last month detailing the elaborate data hack that may have compromised sensitive financial and medical data of nearly 3.7 million individuals.
Two weeks later, Fairall received a statement from his health-insurance company that detailed a new charge for a doctor’s visit seven years ago.
One week later, he learned his Facebook profile had been hacked. Fairall said the culprit had set up a duplicate Facebook profile and began reaching out to people connected to him on the social-media network.
Fairall believes the activity is a result of hackers securing his sensitive records from a Banner Health hospital years ago. And he wonders how many others of the 3.7 million individuals are experiencing similar online transgressions.
Fairall also said he received a statement from his Medicare insurance company about new charges from a doctor’s visit in 2009. He filed a complaint with the insurance company claiming fraud, and the insurance company is investigating the charges. He’s convinced it’s the work of hackers attempting to slip through a bill using his records.
Fairall urged others to scrutinize their personal and medical information, and social media accounts.
