Banner Health Data Breach Lawsuit

3.7 million people affected by massive security breach

Gibbs Law Group’ data breach attorneys represent the patients, insureds, doctors, and others affected by the data breach at Banner Health in the summer of 2016. Banner Health announced the breach on August 2, 2016, saying that it may have exposed the personal health and other sensitive information of up to 3.7 million people. Banner said the hackers accessed its medical records and payment card information used to buy food and beverages at Banner Health locations.

On November 23, 2016, Gibbs Law Group partner Eric Gibbs was appointed by United States District Judge Bolton of the District of Arizona to serve on the Plaintiffs’ Executive Committee. The Court considered competing applications from a number of law firms and ultimately selected Eric as part of the four-person leadership structure, which includes two co-lead counsel and two executive committee members. David Stein and Amanda Karl are also actively involved in the litigation. The case leadership filed Plaintiffs’ Consolidated Amended Class Action Complaint on March 3, 2017, and the consolidated litigation is now underway.

Were you exposed in the Banner Health Data Breach?

If you received a notice saying your information may have been compromised in the Banner Health data breach, contact a data breach attorney for a free consultation by calling toll-free (800) 254-9493 or filling out the form.


us at 1-800-254-9493


us with the form to the right

Banner Health Data Breach Leaves Millions of People Vulnerable

According to Banner, its network was compromised on June 17, 2016, and the breach was discovered by the company on July 13, 2016. The potentially compromised information varies based on individuals’ relationships to Banner Health, and is detailed below:

Banner Health Patients

Potentially compromised information for patients of Banner Health’s 23 hospitals and other specialized facilities includes:

  • patient names
  • addresses
  • birthdates
  • physician names
  • dates of service
  • clinical information
  • health insurance information
  • Social Security numbers (if they were provided to the system)

Banner Health Plan Members and Beneficiaries

In addition to the personal information listed above, additional information that may have been breached for those enrolled in a Banner health plan includes:

  • claims information
  • insurance information
  • employee benefit information

Banner Health Providers and Physicians

According to Banner, the types of information impacting providers potentially breached in the cyber-attack may include:

  • provider names
  • addresses
  • Drug Enforcement Agency numbers
  • tax identification numbers
  • national provider identifier numbers

Banner Health Food and Beverage Customers

For those individuals who used payment cards at the affected Banner Health Food and Beverage outlets listed at the bottom of this page, breached information may include:

  • Cardholder names
  • Card numbers
  • Expiration dates
  • Internal verification codes

Questions Emerge About Banner Health Data Security

Several media outlets and IT publications reporting on the breach have questioned the security system in place that would allow hackers to access medical data through a payment processing system. According to a senior information security analyst commenting on the Banner Health data breach in Healthcare IT News, “These should have been entirely segregated from one another – I can’t imagine any reason why a cafeteria point-of-sale system would need access to systems storing medical records.”

Dangers to Consumers in the Exposure of Personal Health Information

For several years, the FBI and security experts have warned that cyber criminals are increasingly targeting the $3 trillion U.S. healthcare industry. That is because Personal Health Information (or “PHI”) is a rich source of personal data that can be used in identity theft. The black market resale value of PHI is estimated to be ten times higher than credit card data. While credit cards can be cancelled or replaced, PHI – including name, age, gender, address, Social Security numbers, diagnosis codes, insurance information and personal medical history – can’t be changed.

Criminals may use this stolen medical information to create fake IDs to buy medical equipment or drugs that can be resold, or combine a patient number with a provider number and file false claims with insurers. Having access to detailed personal data can also make targeted email or spear phishing attacks easier and more effective, and threats to disclose private and potentially embarrassing medical information could be used for potentially lucrative blackmail schemes.

Case Status

On November 23, 2016, Gibbs Law Group partner Eric Gibbs was appointed by United States District Judge Bolton of the District of Arizona to serve on the Plaintiffs’ Executive Committee. All of the class action suits that had been filed in the District of Arizona were consolidated into a single proceeding. On March 3, 2017, Plaintiffs filed their Consolidated Amended Class Action Complaint. In the complaint, Plaintiffs propose representing four different classes that are subject to change:

  • Patient Class
    All Banner healthcare patients whose PII and/ or PHI was maintained on Banner’s network and who were mailed a breach notification letter from Banner
  • Insured Class
    All insurance plan members whose PII and/or PHI was maintained on Banner’s network and who were mailed a breach notification letter from Banner/li>
  • Employee Class
    All Banner healthcare service providers and employees whose PII and/or PHI was maintained on Banner’s network and who were mailed a breach notification letter from Banner
  • Point-of-Sale Class
    All individuals who used a payment card at a Banner location, whose PCI was transmitted through Banner’s [REDACTED] server and who were mailed a breach notification letter from Banner

Banner tested the legal sufficiency of the claims in the Complaint in a motion to dismiss. Many of Plaintiffs’ claims survived. A copy of Judge Bolton’s Order on the motion to dismiss, issued on December 20, 2017, can be found here.

Looking forward, fact discovery is underway. Plaintiffs’ motion for class certification is likely to be filed in Spring 2018.

Our Extensive Data Breach Class Action Experience

We are representing health-plan subscribers whose information was compromised when hackers infiltrated Anthem Blue Cross, and Excellus Blue Cross and Blue Shield. In the past, we have successfully represented consumers with data breach and privacy claims involving HealthNet and Certegy Check Services.

Partner Eric Gibbs has established himself as a leader in emerging litigation involving data breach and privacy. Eric secured a landmark ruling in the Adobe Systems, Inc. Privacy Litigation, which makes it easier for plaintiffs to seek relief following a breach. He was recently selected from among a pool of attorneys from across the country to serve as co-lead counsel in the Vizio, Inc., Consumer Privacy Litigation.

Eric co-founded the American Association for Justice’s Data Breach and Privacy Litigation Group, and has served as chair and organizer of several consumer privacy conferences on best practices and developments in consumer privacy litigation.

Reputation for Excellence in Consumer Protection and Class Actions

Eric Gibbs was recently recognized by the Daily Journal as a “Top Plaintiff Lawyer in California for 2016.”

The firm was also distinguished as a Tier 1 law firm for plaintiffs’ mass tort and class-action litigation in the 2013-2016 “Best Law Firms” list, an annual survey published in the U.S. News & World Report’s Money Issue. The National Law Journal (NLJ) named Gibbs Law Group to its elite “Plaintiffs’ Hot List” for 2012, a selection of top U.S. plaintiffs’ firms recognized for wins in high-profile cases. Several of the firm’s attorneys have earned AV-Preeminent ratings from Martindale-Hubbell, recognizing them in the highest class of attorneys for professional ethics and legal skills.

Affected Banner Health Restaurants and Locations

According to Banner Health, the food and beverage locations that were affected include:

Banner – University Medical Center Tucson Main CampusEast Morgan County Hospital Bistro (CO)Banner – University Medical Center Tucson South CampusMcKee Medical Center Cafeteria (CO)Banner Baywood Medical Center Cafeteria (Mesa)North Colorado Medical Center Bistro 1Banner Behavioral Health Hospital – Camelback Café (Scottsdale)North Colorado Medical Center Bistro 2Banner Boswell Medical Center – Lobby Latte (Sun City)Community Hospital – Torrington Bistro (WY)Banner Boswell Medical Center Culinary Svcs (Sun City) Banner Casa Grande Medical Center Café Banner Corporate Center-Mesa Bistro Banner Corporate Center-Mesa Espresso Banner Del E. Webb Medical Center – Daily Grind (Sun City West) Banner Del E. Webb Medical Center Culinary Svcs (Sun City West) Banner Desert Medical Center Bistro (Mesa) Banner Estrella Medical Center Café (Phoenix) Banner Gateway Medical Center – Canyon Café (Gilbert) Banner Heart Hospital Deli (Mesa) Banner Ironwood Medical Center Café (Queen Creek) Banner MD Anderson Cancer Center – Salt River Bistro (Gilbert) Banner Thunderbird Medical Center – Tbird Café (Glendale)

Arizona Locations Other States
Banner – University Medical Center Phoenix Bistro Fairbanks Memorial Hospital Café (AK)
Banner – University Medical Center Tucson Healing Gardens Banner Fort Collins Medical Center Café (CO)
Slice 1 BLF 2017