Dive Brief:
- A district judge in Arizona dismissed three claims — breach of contract, good faith and implied duty of care — brought by patients of Banner Health following a 2016 data breach, FierceHealthcare reports.
- However, the judge let a class-action lawsuit proceed on claims of negligence, unjust enrichment and failing to comply with the Arizona Consumer Fraud Act.
- “There is at least a plausible inference that the identify theft alleged by two of the Plaintiffs would not have happened but-for Defendant’s inadequate data security,” wrote Judge Susan R. Bolton, referencing a similar judgment in an Anthem data breach care. “Furthermore, there is a plausible inference that the rest of Plaintiffs are now at an increased risk of identity theft which they are incurring costs to prevent.”
Dive Insight:
The data breach, discovered in July 2016, occurred when hackers gained access to Banner’s network via credit care payment systems at some of its food and beverage locations. In August, Dr. Howard Chen, a former Banner Thunderbird Medical Center employee, filed the class-action suit on behalf of himself and the 3.7 million individuals whose personal information was compromised.
In light of the cyberattacks at Banner and other healthcare organizations, HHS’ Office for Civil Rights urged providers to beef up their electronic authentication methods and conduct enterprise-wide risk analyses to identify cyber vulnerabilities. Some security experts felt OCR should pressed even harder for multifactor authentication to reduce data hacks.
Still, many healthcare organizations fail to take cybersecurity seriously. According to new data from Black Book Market Research, eight in 10 organizations don’t have a designated C-suite leader for cybersecurity and more than half don’t perform regular risk assessments.
A a recent HIMSS study was more hopeful, finding about 80% of organizations have a dedicated security staff and six in 10 employ a chief information security officer. Moreover, 71% of respondents said their organization budgets for cybersecurity and 60% of those said the allotment was 3% or more of the total budget.
Cybersecurity firm McAfee Labs recommends organizations use a combination of humans and machines to hunt for cyber threats. Best practices should include educating employees on the importance of system security and how to protect data, using the latest firewalls and web gateways and creating early warning traps to lure would-be attackers and preempt an attack, Jack Weafer, vice president of McAfee Labs, told Healthcare Dive earlier this year.