Banner Health agrees to $6 million settlement over 2016 breach

Banner Health has agreed to pay up to $6 million to victims of a massive data breach the Arizona health system experienced in 2016, according to court documents filed last week.

The plaintiffs in the case filed the motion for preliminary approval of a settlement to end a proposed class action over the cyberattack in federal court in Arizona.

Under the deal, nearly 3 million people who Banner notified after a 2016 data breach would be able to request reimbursement claims for expenses from the incident. Each class member’s reimbursement is capped at $500 for ordinary expenses and $10,000 for extraordinary expenses. The overall cap that Banner agreed to is $6 million.

Extraordinary expenses could include out-of-pocket costs or time lost responding to identity theft or fraud, according to the motion.

Banner also agreed to provide people affected by the data breach with a two-year subscription to credit monitoring and identity protection services and to take additional steps to improve the health system’s information security systems.

The settlement will provide “substantial monetary and injunctive relief” to the 2.9 million people who Banner notified after the 2016 data breach, according to the plaintiffs.

Hackers in June 2016 gained unauthorized access to computer servers at Banner, compromising information on patients, health plan members and credit card information from customers who had purchased food or beverages at the health system. It was an unusual hack, affecting two separate computer systems—one for credit and debit cards used at 27 food service locations at Banner facilities, and another used for patient and health plan data.

In response, Banner offered those who had data compromised one year of free credit and identity monitoring services.

But plaintiffs in the case have argued the monitoring services Banner offered were inadequate.

One plaintiff had fraudulent bank accounts opened and tax returns filed in her name following the breach, according to the motion.

“The risk of fraud, including financial fraud and medical identity theft, remains ongoing,” the plaintiffs wrote.

A Banner spokeswoman said the health system isn’t able to discuss details of the case, as it is a pending legal matter.

“However, we are hopeful that it will be resolved soon, at which time those who were impacted can learn additional information,” she said. “In the meantime, data security is one of our highest priorities and we continue to work diligently to protect the sensitive information of our patients and employees.”