The effects of the Banner Health data breach in July continue to reverberate and multiple class action lawsuits against the company may follow in the months ahead.
On July 7, Banner Health had a data breach where about 3.7 million people may have had their confidential financial and medical information stolen. Those affected included patients, health plan members and beneficiaries, food and beverage customers as well as physicians and healthcare providers.
Banner Health discovered that cyber attackers may have gained unauthorized access to computer systems that process payment card data at food and beverage outlets at some Banner Health locations, based on a release from the health provider.
The attackers targeted payment card data, including cardholder name, card number, expiration date and internal verification code, as the data were being routed through affected payment processing systems.
Payment cards used at food and beverage outlets at certain Banner Health locations during the two-week period between June 23 and July 7 may have been affected. A list of the outlets that were affected can be found at www.BannerSupports.com.
Individuals were not notified until Aug. 3, when Banner announced it had sent out letters. However, lawsuit documents claim not all 3.7 million people have received notifications.
Jennifer Ruble, Banner Health Network Public Relations director, said the company has followed regulations in attempts to reach those who could have been impacted, including the following: U.S. mail, media notifications via press release and newswire, websites (all of Banner’s public sites and the Banner employee website), social media, faxed notifications to provider offices and Dedicated Call Center support.
The Arizona law firm Gallager & Kennedy P.A. already filed the first class action lawsuit against Banner Health on Aug. 23. There may be other class action lawsuits filed by different law firms, including Weitz & Luxenberg, which is the largest law firm that sues hospitals for their failures to protect their patients from identity theft.
The Gallager & Kennedy lawsuit lists Douglas Bell as the single plaintiff in the case.
Mark Fairall, a client of Weitz & Luxenberg and a Sun City West resident for about 18 years, said he has endured the pains of the data breach.
He said he has been affected through his banking account, Medicare charges, a duplicate Facebook account, Yelp account, Twitter account and Cox email account.
Mr. Fairall said he has spent considerable time with his Facebook account. He traced the hack to Russia because a number of fake Facebook friends on the duplicate account had Russian addresses and were written in Russian. More than 30 people, including 15 Facebook friends, accepted invites to the fake page and were affected by the hacks. A malware program called Hammertoss was used. It is one of the most difficult viruses to remove because it is a first-class spyware that can evolve with additional hacker instructions. Hammertoss evades traditional computer defenses and easily spreads from computer to computer.
Mr. Fairall said he believes his story will help the Weitz & Luxenberg class action lawsuit survive motions for dismissal because it shows real losses.
“I had people thank me for invitations to my Twitter account,” Mr. Fairall said. “I don’t send out invitations to those accounts. They didn’t set up a separate account, they were sending invitations to them. I was contacted by all the social media accounts to change my passcodes. I sent a letter to the bank. The information that they (hackers) have, they can go online and set up bank accounts without me being present. So one of the things I’m telling them (the bank) is not to do that without me being present.”
Mr. Fairall has since changed passwords to all his accounts because of hack attempts. His duplicate Facebook account was closed after contact with the social media company.
On Sept. 17, he emailed a formal criminal complaint to Arizona Attorney General Mark Brnovich in addition to a Medicare fraud complaint filed on Sept. 9. He has also filed complaints with the FTC, Medicare Fraud, the Office of Civil Rights and Senators John McCain and Jeff Flake.
Mr. Fairall said he was charged for a fake 7-year-old hospitalization bill. His medical insurance has bounced that fake bill with a formal grievance.
He attempted to gain a copy of his medical records, but was told by a Banner Health employee he could not obtain it for free.
Ms. Ruble clarified any concerns people may have about obtaining their records.
“Patient medical records can be requested free of charge through the MyBanner portal at BannerHealth.com,” she stated in an email. “Patients can also request their medical records in person at our facilities with proper identification. If they need a certain portion of their record, there is no charge. If they need the entire record there is a small charge for the paper or CD.”
Headquartered in Arizona, Banner Health is one of the largest nonprofit health care systems in the country. The system owns and operates 29 acute-care hospitals, Banner Health Network, Banner University Medicine, Banner Medical Group, long-term care centers, outpatient surgery centers and an array of other services, including family clinics, home care and hospice services, pharmacies and a nursing registry. Banner Health is in seven states: Alaska, Arizona, California, Colorado, Nebraska, Nevada and Wyoming.
The Banner breach in 2016 is the eighth largest medical records breach. The 3.7 million people possibly affected represent the largest medical data breach this year. The hospital was hacked before in 2014, which affected 50,000 people.
“This incident was unlike anything we have experienced before,” Ms. Ruble said about this summer’s breach. “It was a sophisticated crime designed specifically to attack Banner Health.”
What makes the Banner Health data breach this year so dangerous is the fact that both the Personal Identifiable Information (PII) and Personal Health Information (PHI) were stolen. The former is a person’s Social Security number, addresses and other personal information while the latter is a person’s health records.
The breach not only affects adults, but child patients, who are more at risk of future identity fraud because they cannot act on this issue as well as adults.
The lawsuit claims hacked hospital records could sell for $1,000 on the black market.
While Mr. Fairall said he has not been socially active in the Sun City West community, he advises residents there and in surrounding areas who are connected to Banner to become aware of possible misuse of their personal information. He was not bothered by the notice until he started seeing the signs.