Update: Increase in Estimated Cost of a HIPAA Breach

With Phase 2 of HIPAA audits in full swing, many companies are worried about potential fines and penalties from the Office of Civil Rights (OCR). However, the cost of a breach can cost a lot more than any fines from OCR. The easiest way to avoid the financial impact from either source is to implement a HIPAA compliance plan. You may feel that implementing a plan is a cost you don’t want to incur, but taking the steps to become HIPAA compliant costs a lot less than meeting the required actions when there is a breach.

We first blogged about the cost of a breach in April 2016. Recent reports indicate a significant increase in cost. In June 2016, the Ponemon Institute released a new research report on the cost of a data breach in the United States. This study looked at 64 different companies in 16 different sectors and analyzed each company’s average cost of a breached record. The report states the average cost for each breached record is $221, a $4 increase from the Ponemon 2015 report.¹ (This increase may be due to additional records illegally accessed in each breach.)

Healthcare, life science, and financial companies are heavily regulated and face larger penalties and fines when there is a breach of patient information.¹ The average cost per breached record in healthcare is $402. The average cost per breached record in the financial/insurance sector, which is the third largest cost behind health and life science, is $264. Costs for a breach in the healthcare sector are 37% higher than those in insurance.¹ Data breaches with malicious intent account for half of all data breaches. The average cost per capita of a malicious/criminal attack is $236, whereas system glitch and human error came in below the $221 total average of all industries at $213 and $197, respectively.¹

Let’s examine the cost of a breach for two industries – a medical center and a financial institution.

Medical Center: Breach of 3,000 records at $402 per record        $1,206,000

Financial Institution: Breach of 3,000 records at $264 per record $    792,000

Difference  $    414,000

Required responses when there is a breach:

1. All patients/clients must be notified of breach.
2. If the NPP does not clearly state patients/clients can be notified by email, the state may require notification by first class mail.
3. Legal professionals must review the notification plan and advise on other legal ramifications that may occur as a result of the breach.
4. Security professionals will need to remedy network issues.
5. Offer credit card monitoring to all patients/clients after a breach.

The costs outlined above are tangible ones that we can put a specific dollar amount against. In addition, time, effort, and organizational resources spent make up indirect costs. There is also the potential for an even larger cost classified as ‘opportunity costs’– the loss of your patients’, employees’ and/or customers’ trust once the breach has been reported to the victims and potentially the media.

According to a study conducted by TransUnion Healthcare, more than half of recent hospital patients are willing to switch healthcare providers if their current provider undergoes a data breach; and nearly seven in 10 respondents (65%) would avoid healthcare providers that experience a data breach.²

The data isn’t any better for employers. In an article by the Society for Human Resource Management, Matthew Tokarz, Senior Corporate Recruiter for Instant Alliance explains, “If employee trust is a casualty of a cyber attack, the organization will inevitably face the daunting challenge of attracting and hiring top-level talent to the organization”.³ The cost of a breach is very high no matter what market segment you are in.

The Ponemon study states that “certain factors decreased the cost of data breach,” as well as help prevent breaches. Having an incident response plan in place, using encryption for records at rest as well as in transit, training employees on your HIPAA compliant security policies and procedures, and using data loss prevention technologies result in a reduction of the cost of a data breach.¹

Conclusion

You are more likely to experience a breach than you are to be audited. As health care data becomes more valuable, breaches will become more frequent. According to Identity Theft Resource Center, 91% of all healthcare organizations reported at least one data breach over the last two years.⁴ With the value of healthcare data at an all-time high, not only will healthcare organizations be targeted, but also covered entities and business associates that have access to PHI. The cost of a breach is increasing every year. You may want to consider whether that cost is something you can afford.

No matter the size or cause of the breach, the cost of mitigating it is time-consuming and expensive. The best plan of action is to protect your organization with a well-tested HIPAA compliance plan. As the saying goes, “an ounce of prevention is worth a pound of cure.” -Benjamin Franklin

1. 1. Ponemon Institute. (June 2016). 2016 Cost of a Data Breach Study: United States (pp. 1, 2, 7, 8, 9). Retrieved from IBM: www.ibm.com/security/data-breach

1. 1. http://newsroom.transunion.com/transunion-survey-nearly-seven-in-10-patients-would-avoid-healthcare-providersthat-undergo-a-data/

1. 1. https://www.shrm.org/hrdisciplines/safetysecurity/articles/pages/regaining-trust-after-data-breach.aspx

1. http://www.usatoday.com/story/money/personalfinance/2015/07/24/steve-weisman-health-care-data-breach/30593661/

Sharing is caring!