HIPAA Blog

[ Friday, December 22, 2017 ]

 

Banner (Arizona) Breach: You may recall a year and a half ago, Banner Health's Arizona facilities suffered a mostly-non-HIPAA data breach: specifically, hackers got into Banner's point-of-sale payment card processing system at its snack bars and cafeterias.  The hackers eventually got into some Banner servers containing PHI.  But it was really more a Home Depot type breach than an Anthem type breach.

A class action lawsuit was filed against Anthem, based on a handful of causes of action, including breach of contract by Banner for failing to provide protections of employee data as described in Banner's employee handbook.  The class action judge has just thrown out several of those claims, including the employee handbook claims.  But she has let the class action continue of unjust enrichment (Banner didn't spend as much on data security as it should have, and that savings unjustly enriched Banner at the expense of the victims of the hack), negligence (Banner had a duty to protect the data, failed at that duty, and caused damages), and violation of Arizona's Consumer Fraud Act.

The judge did find that at least 2 plaintiffs did suffer damages that "would not have happened but-for" Banner's inadequate data security."  However, the class-action plaintiffs are not out of the woods yet.  Will all the class participants have similar damages?  Are they all similarly situated?  Is the heightened risk of identity theft actual harm, if the identity theft never occurs?  I would guess we will have to have the Supreme Court determine that.

Jeff [4:56 PM]

Comments: Post a Comment
http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template