In This Healthcare Breach, It’s the Doctor Who Sues



A physician working for Banner healthcare has filed suit against his employer, saying the company was negligent and demanding more protection from hackers.

Lawsuits are common in the aftermath of data breaches, as those affected by the theft of their data look for redress. But when Banner healthcare announced that it was the victim of a data breach that affected some 3.7 million customers, it was surprising that one of the company’s own doctors led the way in filing suit.

As reported by The Arizona Republic, Glendale Arizona physician Dr. Howard Chen, who works at Banner’s Thunderbird Hospital, filed a class-action lawsuit against Banner Health. His suit seeks compensation for identity protection and credit monitoring, arguing that the one year of credit monitoring offered by Banner is inadequate.

“Banner’s negligence affected millions of people,” said attorney Rob Carey in a statement. “It’s not enough to offer a skimpy 'fix' — the law requires Banner remedy the serious risks it created for its stakeholders,” the Republic reported.

Banner had declined to comment on the suit.

The suit underscores the broad nature of the Banner breach, which affected patients, health plan members and beneficiaries, food and beverage customers and physicians and healthcare providers who worked in Banner facilities.

In a statement on August 3, Banner acknowledged the breach, which it first detected in June, saying that cyber attackers may have gained unauthorized access to two separate computer systems: one that processes payment card data at food and beverage outlets at 27 Banner Health locations. The attackers targeted payment card data, Banner said. The breach lasted for two weeks between June 23, 2016 and July 7, 2016.

Banner’s investigation subsequently revealed that the attackers “may have gained unauthorized access to patient information, health plan member and beneficiary information, as well as information about physician and healthcare providers.” That data trove included patient birthdates and addresses, the names of physicians, dates of service, medical claims information and even health insurance information and Social Security Numbers.

Given the broad nature of the data stolen and its utility to would-be identity thieves and scammers, Chen’s argument that the now-standard year of data protection services offered by Banner is inadequate. Other breached firms have extended the offer to two years or, in the case of Blue Cross Blue Shield plans, lifetime monitoring.

Chen’s suit calls for Banner to do more. And there’s ample evidence that the status quo that’s emerged for massive breach cases like Banner’s isn’t adequate to either change corporate behavior or make affected customers whole again.

On the corporate behavior side, a survey by the Online Trust Association released earlier this year concluded that nine of every ten data breaches that occurred in the first eight months of 2015 were “easily avoidable” using simple and well-established security practices, such as applying software patches, encrypting data or ensuring employees do not lose their laptops.

As for the remedies offered by breached firms like Banner, data from Experian suggests that they are not taking root with customers. Fewer than one in ten consumers who have had personal information exposed in a major data breach take advantage of credit monitoring services offered by the company responsible for the breach. Consumers, deluged with news and notices from breached firms, are experiencing “breach fatigue” said Michael Bruemmer, the Vice President of Consumer Protection at Experian Consumer Services.

Of course, under current law Banner is not required to offer more thorough remedies – or any remedies at all. And class actions suits like Chen’s are an imperfect tool for pursuing change. History has shown that breached firms are more than willing to resist such suits, citing the absence of any real damages or harm resulting from the breach. Stolen data may be used for fraud and identity theft, but until it is, affected consumers don’t have legal standing to sue for damages, firms have argued. Banks, on the other hand, have had more success in pursuing those claims.

What’s needed, of course, is comprehensive federal data breach legislation that addresses the needs of consumers and businesses who are the ultimate victims of data breach and hacking incidents like that affecting Banner. While no company sets out to be hacked, the absence of serious and predictable consequences for being breached have created an environment in which companies more or less get to decide the extent of their own punishment. That’s a scenario that’s unlikely to lead to meaningful change, leaving individuals like Dr. Chen – employees, customers, business partners – holding the bag.

Paul Roberts

WHITEPAPERS

The Incident Responder's Field Guide

Paul Roberts

Paul Roberts is the editor in chief of The Security Ledger and founder of the Security of Things Forum. A seasoned reporter, Paul has more than a decade of experience covering the IT security space. His writing has appeared in publications including The Christian Science Monitor, MIT Technology Review and The Economist Intelligence Unit. He's appeared on news outlets including Al Jazeera America, NPR's Marketplace Tech Report and The Oprah Show.