Banner Health recently announced that hackers may have gained “unauthorized access to patient information” and “payment card data” from approximately 3.7 million patients, health plan members, food and beverage customers, and physicians. The breach has been reported as the largest for a hospital in 2016.
According to Banner Health, attackers obtained access to the “point-of-sale” systems at food and beverage outlets in its facilities, reminiscent of recent attack suffered by the hospitality industry. Apparently, Banner Health failed to separate its systems and servers containing personally identifying information (“PII”) and protected health information (“PHI”) from those used for its point-of-sale system. After the breach, Banner informed its employees and its patients that their data may have been compromised.
Banner Health’s patients and providers wasted little time in bring suit, with both having filed class action complaints in the District of Arizona. Plaintiffs allege that Banner Health negligently maintained the security of Plaintiffs’ PII and PHI, failed to immediately notify them of the data breach, breached Banner Health’s representations concerning its data security, and violated Plaintiffs’ right to privacy.
Banner Health has not yet filed motions to dismiss or answers. But given the allegations in the complaints, the district court will need to resolve a number of unsettled questions:
• Standing: The named Plaintiffs do not know whether hackers accessed—let alone used—their data. Accordingly, they pled that they “live in fear of identity theft” and that they have spent “time and money safeguarding” their personal and private information. Although the Seventh Circuit held that such allegations are sufficient for Article III standing, the Ninth Circuit has not weighed in on this issue.
• Contractual Obligations: In other data breach class actions against health care providers and insurers, plaintiffs have claimed—with mixed success—that their contracts incorporated the entities’ PHI and PII privacy policies. In the Banner Health complaints, Plaintiffs have not asserted a claim for breach of contract, instead asserting a promissory estoppel claim. It is unclear whether this tactic will prove successful.
• Failure to Notify: Some courts have held that defendants who disclose data breaches or provide free fraud protection services admit—at least at the pleading stage—that plaintiffs were among those affected by a data breach. The complaints in Banner Health, in contrast, show that failure to promptly notify consumers of a breach raises its own set of problems. Relying on Arizona law, Plaintiffs alleged that Banner Health is liable for not providing notice in the “most expedient manner possible and without unreasonable delay.”
• Federal Trade Commission (“FTC”) Act Violations: The FTC has stepped up its enforcement efforts against companies that fail to protect consumers’ data. The Commission has concluded that lax cybersecurity practices are “unfair or deceptive acts” under the FTC Act. That Act, though, does not provide a right of action for private parties. So, Plaintiffs in Banner Health are bootstrapping recent FTC decisions, claiming that Banner Health acted negligently under Arizona law because it violated the FTC Act. Plaintiffs may also argue that, in light of the FTC’s recent decisions, Banner Health violated the Arizona Consumer Fraud Act—which, like the FTC Act, prohibits “deceptive or unfair” acts and practices. Rev. Stat. §44-1522; see Sellinger v. Freeway Mobile Home Sales, 110 Ariz. 573, 575 (1974) (implying a right of action).
These law suits are not the end of Banner Health’s problems. It does not appear that the Department of Health and Human Services (“DHHS”) has initiated proceedings against Banner Health. But if the past is a prologue, an enforcement action is a real possibility. Banner Health owns and operates over 29 hospitals and various other health facilities. As such, it is a covered entity under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act (“HITECH”). And the implementing regulations for those statutes require covered entities to properly secure electronic PII and PHI—or face monetary penalties.
The Banner Health breach shows the danger of not segregating point-of-sale systems from systems that store medical records. Indeed, a 2012 study by Verizon showed that point-of-sale systems are responsible for 48% of assets compromised in health care data breaches. Health care providers should make sure that attackers cannot use point-of-sale systems—especially if those systems are also used by third party vendors—as a jumping off point to access the company’s entire network.
Whatever the Arizona district court ultimately decides, this case should have a significant impact on future data breach class actions. We will continue to monitor the case, so stay tuned for further updates.