HEALTH

Glendale doctor sues Banner Health over data breach

Adrian Hedden
The Republic | azcentral.com
Banner Thunderbird Medical Center

A Glendale doctor has filed a class-action lawsuit against Banner Health after a cyberattack compromised the personal information of about 3.7 million patients, employees, cafeteria customers and others.

Phoenix-based law firm Hagens Berman Sobol Shapiro filed the lawsuit in Maricopa County Superior Court on behalf of Dr. Howard Chen, who works at  Banner Thunderbird Hospital in Glendale, according to a statement from the firm.

Banner discovered in late June that their database had been hacked. The suit seeks compensation for identity protection and credit monitoring.

Chen’s lawyers accused Banner of negligence in allowing the breach to occur and argued the one year of credit monitoring already offered by the state's largest health-care provider was inadequate.

“Banner’s negligence affected millions of people,” said attorney Rob Carey in a statement. “It’s not enough to offer a skimpy 'fix' — the law requires Banner remedy the serious risks it created for its stakeholders.”

Banner officials said it has blocked the hackers. A spokeswoman on Saturday declined to comment on the lawsuit, saying the company does not comment on legal matters.

The breach

Banner Health employees were notified Wednesday that their data was compromised, according to the lawsuit. The notification came more than a month after the breach occurred.

According to the lawsuit, Banner’s information technology staff first detected unlawful activity on June 29. Hackers were able to access payment card data from hospital cafeterias at multiple Banner locations in Alaska, Colorado, Wyoming and Arizona. On July 13, Banner found hackers also had gained access to patient health-insurance records containing names, birth dates, social-security numbers, addresses, doctor names, dates of service, claims and insurance information, according to the lawsuit.

Banner sent out an email Aug. 3 that read, “It is possible that information from approximately 3.7 million individuals may be affected by this incident.” In the email, Banner offered all of those affected one free year of credit monitoring through Kroll, a credit-monitoring firm.

The allegations

Currently on staff at Banner Thunderbird Hospital, Chen also worked at the Banner Arizona Medical Center from 2010 to 2013. He utilized the insurance Banner provided during his employment and worries his data is at risk, according to the lawsuit.

The lawsuit alleges negligence on Banner's part due to “insufficient” data security policies and failing to prevent the hack.

“Personal and financial information is a valuable commodity,” states the lawsuit. “A ‘cyber black-market’ exists in which criminals openly post stolen credit card numbers, Social Security numbers and other personal information on a number of Internet websites.”

Cyber criminals sometimes wait years after a hack, the lawsuit said, waiting for protection services to run out and victims to lower their guard. The lawsuit also argued credit monitoring would not prevent access to medical or insurance records.

‘A thriving internet black market’

In the lawsuit, Chen’s lawyers detailed the danger of identity theft and cybercrime.

Citing the Identity Theft Protection Association, the lawsuit states that client information could have already been bought and sold numerous times since the breach and that Banner’s policies were inadequate to stop the hackers.

“The ongoing exposure of confidential consumer and business information through data security breaches fuels a thriving internet black market in which sensitive information is traded, sold and re-sold on a daily basis through online black market websites, secret chatrooms and underground forums,” according to the lawsuit.

Banner officials said the health-care provider has now blocked the attackers and is "working to enhance the security of its systems in order to help prevent this from happening in the future."

Banner Health established a website that details information about the data breach at bannersupports.com. Patients or other customers who have questions or concerns about the cyberattack can call 1-855-223-4412.