PHOENIX (AP) — A Phoenix-based health provider said it is expecting that an ongoing federal probe into a 2016 cyberattack will produce findings that the company’s past security assessments were inadequate.
The federal Office of Civil Rights is investigating the June 2016 attack that exposed personal information from Banner Health, The Arizona Republic reported.
The company disclosed in its recently released 2017 financial report that the federal probe has included queries about the provider’s security assessments. The company said it “anticipates that it may receive negative findings with respect to its information technology security program” that could result in fines.
Hackers gained access to Banner Health’s servers that contained medical and personal information, compromising the records of nearly 3.7 million patients, employees, health insurance customers and others.
In a statement, Banner Health said it’s cooperating with federal investigators and has made changes to cybersecurity issues identified after the data breach.
The changes include upgrades to security infrastructure and better monitoring of threats, the company said. It also has offered credit monitoring for people affected by the data breach.
The company said it could not provide an estimate on the possible fine that could result from the probe.
Banner Health also is dealing with a lawsuit filed in federal court in Phoenix.
The lawsuit, which includes employees and patients as plaintiffs, claims the data breach could have been prevented if the company followed industry precautions in safeguarding its systems.
The lawsuit claims hackers were able to move freely within the company’s computer system, gaining access to information like names, birth dates, addresses, social security numbers and medical histories.