A Phoenix-based nonprofit health system agreed to pay $1.25 million as part of a settlement with the Department of Health and Human Services (HHS) addressing violations of the Health Insurance Portability and Accountability Act Security Rule regarding a 2016 data breach.

The breach at Banner Health compromised the protected health information of 2.81 million consumers, the HHS stated in a Feb. 2 press release. The hacker accessed data that included patient names, physician names, dates of birth, addresses, Social Security numbers, clinical details, dates of service, claims information, lab results, medications, diagnoses and conditions, and health insurance information.

The details: Banner Health, which agreed to the settlement without admitting or denying wrongdoing, allegedly violated the Security Rule by failing to protect health-related data from cybersecurity attacks. Deficiencies identified by the HHS included:

  • Lack of an analysis to determine risks and vulnerabilities;
  • Insufficient monitoring of health information systems’ activity;
  • Failure to implement an authentication process to safeguard personal data; and
  • Failure to have security measures in place to protect data being transmitted electronically.

Compliance ramifications: Banner Heath must pay its penalty to the HHS’s Office for Civil Rights and agreed to implement a corrective action plan, which will include two years of monitoring by the OCR. The company must further take the following remedial steps:

  • Conduct a risk analysis to determine vulnerabilities to electronic patient/system data;
  • Develop and implement a risk management plan to address identified vulnerabilities to the confidentiality, integrity, and availability of patient data;
  • Develop, implement, and distribute policies and procedures for a risk analysis and risk management plan; the regular review of activity within information systems; an authentication process; and security measures to protect electronically transmitted data; and
  • Report to the HHS within 30 days when workers fail to comply with the Security Rule.

Banner Health did not respond to a request for comment.