Federal regulators fine Banner Health $1.25 million over HIPAA breach
The enforcement action against the Phoenix, Arizona-based nonprofit, announced Thursday, is the first seven-figure monetary penalty in a HIPAA violation case by the Department of Health and Human Services and Civil Rights since January 2021.
Over the past two years, the firm has focused more on obtaining settlements against organizations in cases involving alleged violations of patients’ rights to access health records. Expensive settlements against well-known brands like Banner Health were the exception.
In addition to paying the financial settlement, Banner Health committed to implementing a corrective action plan that includes conducting a thorough security risk assessment and developing and implementing a risk management plan to address security risks for electronic personal health information.
The HHS OCR initiated an investigation in November 2016 after Banner Health reported that a threat actor had gained unauthorized access to its systems in a breach that could affect millions of people.