HHS OCR settled with Banner Health for $1.25 million following a 2016 data breach affecting approximately 2.9 million individuals. Attackers gained access to Banner Health's payment card processing system through a phishing attack, then pivoted to systems containing PHI. OCR found Banner Health failed to conduct a thorough risk analysis, implement security measures, review information system activity, and implement technical security measures.
Banner Health — Network Segmentation Failure HIPAA Settlement ($1.25M)
What Went Wrong
Attackers first compromised Banner Health's food and beverage payment processing systems at their healthcare facilities, then laterally moved to clinical systems containing PHI. The lack of network segmentation between food service point-of-sale systems and clinical systems allowed the lateral movement. OCR found inadequate risk analysis was the root cause.
Lessons Learned
Network segmentation is critical in healthcare environments. Payment systems and clinical systems must be isolated. The risk analysis scope must include ALL systems that store, process, or transmit ePHI — including ancillary systems like food service and administrative systems in healthcare facilities.
Source:
Official Enforcement Record ↗