On August 3, 2016, Defendant Banner Health announced that hackers had infiltrated their systems and compromised a broad spectrum of personal information, affecting over 3.7 million individuals. Because Banner failed to implement reasonable cybersecurity measures, the hackers were able to target and access payment card data at Banner food and beverage outlets, such as cardholder names, card numbers, expiration dates, and verification codes. But the hackers also infiltrated the computer systems where Banner stored its customers’ most private (and valuable) information, including their personal health details, Social Security numbers, health insurance information, financial information, names, birthdates, and addresses. Banner’s cybersecurity was so inadequate that the hackers even accessed the systems that stored information on Banner’s healthcare providers, including their Drug Enforcement Agency numbers, Tax Identification numbers, National Provider Identifiers, and Social Security numbers.
Banner claims that the breach began on June 17, 2016, and that it failed to detect that hackers had accessed its payment card systems until July 7, 2016. It also claims that it did not detect the compromise of patient and employee information until July 13, 2016. Even then, Banner did not publicly disclose the breach until August 3, 2016 and still has not notified all those affected.
The personal information of Banner customers and healthcare providers has been exposed—and their identities put at risk—because Banner failed to maintain reasonable and adequate security measures. Despite having legal and moral obligations to protect the vast amounts of extremely sensitive and valuable personal information it stored, Banner repeatedly failed to prevent, detect, or limit the scope of this breach.
The complaint alleges that, among other things, Banner (1) failed to implement adequate security measures to prevent hackers from infiltrating its systems; (2) failed to employ adequate security tools and techniques to detect unauthorized network activity or failed to respond to indicators of compromise; and (3) failed to adequately segment its networks, which would have limited the hackers’ ability to access the various systems and data warehouses within Banner’s computer networks.
Plaintiff is a former Banner patient who received a letter from Banner informing her that her personal information was involved in the breach. She brings this action on behalf of herself and all those whose personal information has been compromised as a result of the data breach. She seeks injunctive relief requiring Banner to implement and maintain adequate security practices, to comply with laws, regulations, and industry standards designed to prevent, detect, and mitigate, this type of breach, as well as restitution, damages, and other relief.