(Story updated at 4:43 p.m. ET)
An Arizona physician is the lead plaintiff in a class-action lawsuit against Banner Health over a massive data breach the health system disclosed last week.
The complaint alleges the credit and identity theft protections Banner has offered to breach victims are inadequate and that the system was negligent in allowing the data to be compromised, according to a report in the Arizona Republic.
Phoenix-based Banner said last week that a hacking incident may have exposed personal information belonging to as many as 3.7 million individuals.
Ophthalmologist Dr. Howard Chen has taken the role of lead plaintiff in the complaint, filed in Maricopa County Superior Court on behalf of patients, physicians, employees and even cafeteria customers whose data may have been pilfered. He is represented by Hagens Berman Sobol Shapiro, a law firm specializing in class-action suits.
Chen is on staff at Banner Thunderbird Medical Center in Glendale, Ariz., according to the newspaper report. He is not listed as a Banner physician on the system's website.
Rob Carey, an attorney with the law firm pursuing the case, called the one year of credit monitoring that Banner is offering “a skimpy fix,” according to the report.
The breach would be the eighth-largest in healthcare history since federal record-keeping began in 2009. It was unusual because two separate computer systems were compromised—one system for credit and debit cards used at 27 food service locations at Banner facilities in four states and another used for patient and health plan data.
Banner said in a statement that it first learned of the attack on its point-of-sale network on July 7 and by July 13 had also discovered its patient information system was compromised. The latter breach exposed individuals' birthdates, addresses, physicians' names, dates of service and claims information, and possibly health insurance information and Social Security numbers.
Since hackers stole the records of 78.8 million individuals in an attack on insurance giant Anthem in 2015, cyberattacks have dominated healthcare IT security concerns. The Anthem breach also has led to an escalation in post-attack protections afforded to breach victims.
The previous norm of one year of credit protection has been supplanted in some instances by two years of protection. Last year Blue Cross and Blue Shield plans announced it would begin offering free perpetual credit care and fraud protection to all of their members by Jan. 1, 2016.
“We believe, obviously, that a year isn't enough,” said Michella Kras, the Hagens Berman attorney that filed the case on Chen's behalf. She added that plaintiffs won't know how much protection, for how long and what is necessary since not all of the details are known about what information was taken.
Since she's been a patient at Banner, “For all I know, my information may be in there as well,” said Kras, whose firm has a class-action suit pending against Anthem as well.
A Banner Health spokesman declined to comment.
It's quite common for hackers to penetrate the defenses of a targeted organization and do little for an extended period of time, according to security experts.
Two security firms, Kaspersky Labs and Symantec, recently reported discovering a sophisticated “malware platform,” most likely developed by a state-sponsored surveillance organization, that had been residing undetected on several dozen computer systems for as long as five years.
Craig Musgrave, chief information officer of the Doctors Co., a medical liability insurance company, said even less sophisticated hackers typically “break in and sit there stealthily and wait” for users to reveal passwords and other pathways for further system penetration and exploitation.
“The average time to find a hacker is 200 days,” Musgrave said. Small physician practices often have their credit card processing, billing and EHR systems linked for convenience, making the penetration of one a risk to the others.
One relatively quick defensive upgrade is to quickly embrace the new chip-card readers, Musgrave said. “That is the most secure way to do a transaction.”