The negative financial consequences of healthcare data breaches continue to worsen. Even a single healthcare data breach can easily end up costing millions of dollars in damages. Just last week, Oregon Health & Science University agreed to pay the Office of Civil Rights (OCR) $2.7 million for two data breaches in 2013 that involved more than 7,000 patients. This is likely not the end of these costs for OHSU, as fines are only a single component of the significant and ongoing costs of a breach. However, one of the challenges our C-Suite customers often face is quantifying the full financial impact of a breach, in order to prioritize privacy and security and make a business case to their board. To this end, Protenus is launching a new series of blog posts to break down and clarify the financial costs of a healthcare data breach.
Some of the costs of a health data breach are immediate, but others may linger and damage an institution for years to come. A breach can have severe, lasting effects on an organization’s bottom line.
In the coming weeks, we will cover the following cost categories:
- Costs associated with data forensics
- Costs associated with the notification of involved parties
- Related lawsuit costs
- The loss of business
- The loss of brand value
- Various other fines and penalties
Forensics and Notification
Data forensics refers to the science and process of determining the cause of a breach and precisely what information fell into the wrong hands. It’s a critical first step to both resolving the breach and improving an organization’s security posture for the future. This can be a process spanning months, and because it requires skilled auditors, it is often completed by a third party vendor. It is often very costly, depending on the scope of the breach. Typically, once patients whose records have been breached are identified, the organization must inform those parties. Once the hospital or other facility has notified the affected parties, it is customary (and often mandated) to offer various support services, including monitoring for identity theft and providing patients with a contact number to address their questions and concerns. All of these measures are ongoing costs to operate, staff or contract out.
Lawsuits, Lost Business, and Lost Brand Value
One of the major costs when speaking of a healthcare data breach is a lawsuit. Even small-scale breaches (of just a single record) can cause tremendous harm, whether the defendant is a regular Joe or a sought-after celebrity. In 2011, the UCLA Health System agreed to pay $865,500 as part of a settlement with federal regulators after two celebrity patients alleged that hospital employees broke the law and reviewed their medical records without authorization. And just last month, a former employee of a hospital in Colorado sued, alleging the organization breached his right to privacy when it disclosed he was HIV positive, according to the Denver Post. However, lawsuits are just a piece of the puzzle when it comes to understanding the costs associated with losing the confidence and trust of patients. The loss of current and potential patients, and the damage done to the organization’s brand, can be even more significant, as we’ll discuss in a future post.
Fines and Penalties
Even if patients do not sue, a breached hospital may be obligated to make monetary payments in the form of fines and penalties, usually levied by the Office of Civil Rights (OCR). These can be just as (or more) costly than lawsuits. The largest HIPAA fine issued by OCR so far is $4.8 million. The maximum for each violation category is $1.5 million, but there is an increasing trend towards more aggressive enforcement and penalties looking forward, particularly in the past few years since new rules in 2013.
The Lasting Effects of a Health Data Breach
Once the immediate costs of a healthcare data breach are under control, and the causes of the breach identified, organizations must still put together a plan to prevent future breaches. Security and technology overhauls are a common occurrence in these instances, especially if the organization wants to minimize the fines and penalties it likely faces. Taking active steps to prevent another breach can also help to mitigate the threat of lawsuits. Of course, these preventative actions come with their own costs. These often turn into annual costs that reach far into the future.
A breach can be devastating, both for patients and for the organization that must clean up after it. As is often the case with security and compliance, however, an ounce of prevention is worth a pound of cure. In almost every category of breach costs, whether forensics, fines or brand value, solid protocols and a proactive patient privacy analytics program helps reduce or eliminate financial risks to your institution.
Stay tuned for our deeper look at forensics costs coming up as the next installment in our our Price of Privacy series later this month.
Get additional information in our Cost of a Breach: A Business Case for Predictive Privacy Analytics White Paper.