The federal government is investigating Banner Health's information technology security following the massive 2016 cyberattack potentially affecting 3.7 million patients, the health system revealed in its 2017 financial report released Monday.
HHS' Office for Civil Rights may fine the Phoenix-based not-for-profit health system upon completion of its ongoing investigation, the system noted in its report. Banner wrote that the OCR determined the system's initial response to its security assessment was "inadequate."
"Although Banner has supplemented its initial responses, Banner anticipates that it may receive negative findings with respect to its information technology security program, and that a fine may be assessed against Banner," the system wrote. "At this point, it is not possible to estimate the range of potential fines by the OCR."
People potentially affected by the 2016 cyberattack filed nine class action lawsuits against Banner that have since been consolidated into a single lawsuit, according to Banner's report. Banner wrote that management believes its cyber-risk insurance program will cover a substantial portion of the potential exposure from the litigation.
A Banner spokeswoman was unable to provide additional information on the cyberattack by deadline.
When organized by the number of individuals affected, the OCR currently has Banner at the top of its public list of breaches of unsecured protected health information involving at least 500 people and reported within the past 24 months.
Despite that, Banner's operating income continued its upswing last year. It was nearly $269 million on $7.8 billion in revenue, up 71% from $157 million on $7.6 billion in revenue in 2016.
The system's excess of revenue over expenses grew at an even faster clip, from $269 million in 2016 to $709 million in 2017, a nearly 164% jump.
Banner operates a handful of health plans on the commercial market, Medicare Advantage and Medicaid managed care. Last year, the system's claims costs were 103.4% of premium revenue, down from 105.8% in 2016.
Banner, which operates 28 hospitals, nursing homes, laboratories and other facilities in six Western states, will begin a new Medicaid contract with the Arizona Health Care Cost Containment System in October that will allow it to coordinate care for members in southern Arizona. That's in addition to Banner's existing Medicaid managed-care plan, University Family Care, which has a AHCCCS contract through September 2018.