Banner Health Breach Lawsuit SettledPlaintiffs' Attorney Says Settlement Totals 'Tens of Millions of Dollars'
A federal court has granted preliminary approval of a multi-million dollar settlement of a consolidated class action lawsuit filed against Banner Health in the wake of a massive 2016 breach of healthcare and financial information.
Under the preliminary settlement approved on Dec. 5, the Phoenix-based healthcare delivery network has agreed to pay up to $6 million to class members for reimbursement of expenses related to the breach. The court approved the settlement class as including 2.9 million individuals.
As part of the settlement of the litigation, which consolidated 11 class action lawsuits, Banner Health will also pay for two additional years of credit monitoring for settlement class members in addition to the one year of credit monitoring it originally offered.
That additional credit monitoring coverage includes up to $1 million reimbursement insurance from AIG covering losses due to identity theft and stolen funds.
Banner Health has also agreed to pay $2.9 million for legal costs incurred by plaintiffs' attorneys in the case, settlement documents show.
Paul Stoller of the Phoenix, Arizona-based law firm Dalimonte Rueb Stoller LLP, who is a lead attorney for plaintiffs in the lawsuit, tells Information Security Media Group that the total value of the settlement is in "the tens of millions dollars."
That includes the $6 million set aside for class members' expense claims, the additional credit monitoring being paid for by Banner Health, plus security improvements that the healthcare provider will make as part of the agreement.
Banner Health has agreed to implement "extensive information security improvements" to its enterprise, including a robust set of "future business practice commitments," according to settlement documents. Details of those improvements are under court seal.
Stoller clarified for ISMG that the settlement covers only 2.9 million individuals, rather than the more than 3.6 million individuals listed as affected in Banner Health's breach report, due to duplication of some individuals initially identified by the organization as victims in the incident.
Banner Health did not immediately reply to a request for comment.
Banner Health said in 2016 that the data breach started when attackers gained unauthorized access to payment card processing systems at some of the organization's food and beverage outlets, apparently opening the door to the attackers accessing a variety of healthcare-related information.
The hack of the card processing systems exposed cardholders' names, card numbers, expiration dates and verification codes as the data was being routed through the affected systems.
In addition to that information, Banner Health said in its statement that cyberattackers may have gained unauthorized access to patient information, health plan member and beneficiary information, as well as information about physicians and healthcare providers. Data exposed could include patient names, birthdates and addresses as well as clinical details, such as physician names, dates of service, claims information and possibly health insurance information and Social Security numbers, Banner said.
Commenting on class action lawsuit settlement trends, Steven Teppler of the law firm Mandelbaum Salsburg P.C., who was not involved in the case, tells ISMG: "The trend is for settlements involving protected health information breaches to increase as the understanding of the long-lasting potential for identity compromise becomes more widely understood."
"Expect negotiations to get tougher. The better course is [for organizations] to expend the resources on shoring up cybersecurity."
Provisions calling for a breached entity to make improvements to its information security practices are increasingly common in health data breach class action settlements.
For instance, a proposed $74 million settlement approved in June of a consolidated class action lawsuit against Premera Blue Cross requires the health insurer to invest $42 million to bolster its data security (see $74 Million Settlement in Premera Lawsuits Proposed) .
Also in 2018, a $115 million settlement in lawsuit filed against Anthem in the wake of a 2014 cyberattack impacting about 79 million individuals included a provision for the health insurer to nearly triple its cybersecurity budget (see Judge Approved Final $115 Million Anthem Settlement).
Under its settlement, Banner Health will reimburse up to $6 million to class members for claims of "ordinary" and "extraordinary" expenses.
"Ordinary expenses," which will be reimbursed up to $500 per class member, include long distance telephone charges; internet usage charges; documented costs associated with miscellaneous expenses such as notary, fax, postage, copying, and mileage; documented costs associated with credit freezes; and up to three hours of lost time compensated at $15 per hour upon attestation that time was spent as a result of the security incident.
"Personal health information is extremely valuable to threat actors, and provides an easier path to identity compromise on an ongoing basis," Teppler notes. "While the $500 per class member is better than nothing, it doesn't reflect providing for future Banner breach-sourced identity compromise."
Those class members who document "extraordinary expenses" can be reimbursed up to $10,000 each, the settlement notes. Those expenses include documented credit monitoring or identity protection services obtained after receiving notice of the breach above any amounts compensated as ordinary expenses; documented professional fees and other costs incurred to address fraud, such as identity and income tax fraud; expenses tied to new account fraud, existing account fraud, account takeover and medical identity theft; fraud-related unreimbursed charges from banks or credit card companies; and reimbursement for up to 15 additional hours of lost time.
Class members have up to one year to submit claims once the settlement is finalized. A date for the final settlement was not yet set by the court.
"The conditions are onerous, and apart from the rather meager $15 hourly compensation rate ... for ID issue resolution work, the time limit or filing one year from the [settlement] notice date presumes that all ID compromise happens within a predetermined - not by threat actors - settlement period," Teppler notes.
As part of the settlement, Banner Health has also agreed to pay "incentive awards" of up to $5,000 each to the six primary plaintiffs in the class action lawsuits.
A consolidated financial statement report for 2016 and 2017 issued in March 2018 by the consultancy Ernst & Young about Banner Health noted that in addition to the healthcare system facing the consolidated class action lawsuit, it was also dealing with an investigation by HHS' Office for Civil Rights related to the 2016 data breach (see: Financial Fallout from Data Breaches).
But OCR, which enforces HIPAA, has not yet issued any public enforcement action against Banner Health. And the agency does not comment on its breach investigations.