Calculating the true cost of a healthcare data breach
Healthcare data breaches come in all sizes and varieties – from the massive breach of 80 million patient and employee records at insurance giant Anthem to a stolen iPhone containing about 400 unencrypted patient records at Catholic Health Care Services in Philadelphia.
Even "small" breaches can be costly. The Catholic Health breach resulted in a $650,000 regulatory fine and a two-year corrective action plan.
According to the latest Ponemon Institute study, the healthcare field has the highest cost per breached record of any industry: $402. That adds up to $4 million for 10,000 records – about twice the cost of a breached record in the retail sector.
In this article, we'll take a step-by-step approach to tallying the true cost of a healthcare data breach. When CIOs see how easily the total tab can reach $7 million or more, it should be much easier for them to get the funds needed to prevent or minimize the devastating consequences of a breach.
The Hackers Are Winning
For healthcare executives, the news on data security gets gloomier every month:
• Breaches are up, ransomware is up, and complaints are up. The 2016 audits are in full swing, and the Office for Civil Rights (OCR) is increasing fines and penalties for non-compliant organizations.
• The Health and Human Services (HHS) website notes that there were 113 million records compromised in 2015 – an eightfold increase from the previous year. There are now about 26 breaches every month, the highest it's been since HHS began keeping records.
• The number of complaints has risen 30% since OCR created an online portal for submitting them last year. They're receiving almost 1,800 complaints per month – around 60 per day. OCR investigates about half the complaints. The remaining ones are either turned over to the Department of Justice or deemed not to involve HIPAA. Roughly two-thirds of all OCR complaint investigations result in corrective action plans, settlement agreements and fines – and can put organizations under increased scrutiny for years.
• "Ransomware" keeps getting more sophisticated. This is where hackers lock up healthcare data and make it unusable (and potentially sellable) until the data thieves receive a ransom to release it. The new SAMSAM ransomware doesn't rely on phishing emails, but gets installed through unpatched places on a server. Crysis – now deemed to be the #1 ransomware threat – doesn't just encrypt files but actually pulls them from a network. And the new Locky strain of ransomware can encrypt files even when computer hardware is turned off, putting even backup tapes in jeopardy.
How Much Can It Cost Us?
Calculating the cost of a healthcare data breach requires examining the repercussions of a breach in five major categories: reputational, financial, legal/regulatory, operational and clinical. (See Figure 1 below.)
Figure 1. The five major categories and 20 subcategories for calculating the total cost of a data breachi.
Bear in mind that the Ponemon Institute's estimated cost of a single breached record ($402) doesn't include all of these hard-to-quantify considerations. The total cost is often much higher.
Let's examine each category in greater detail:
Reputational damage – A healthcare organization's reputation can quickly get tarnished by a breach, depending on its size, the sensitivity of compromised data, and age/income of affected individuals. According to the Ponemon study, nearly 7% of patients are likely to switch to another provider after a data breach. Other fallout can include a drop in the number of new patients, loss of strategic partners, and the loss of staff members who feel it's better to jump ship than remain with a troubled organization.
Financial impact – The known costs of a breach clean-up can be staggering. There's the cost of remediation/mitigation (fixing the security issues that led to the breach), the expense of notifying affected individuals (which in Anthem's case was at least $40 million), cost of changing vendors (if the breach was caused by a business associate), and more. In the aftermath of a breach, most organizations offer credit and ID theft monitoring to their patients, which can run as high as $25/month per person.
Legal and regulatory repercussions – These costs include OCR fines and penalties, state fines/penalties, the expense of reestablishing accreditation, and the soaring cost of lawsuits. First-time civil monetary penalties can be as high as $50,000 per breach, while repeat violations within a year cost $1.5 million. Class-action lawsuits following a breach can be very costly to litigate or settle. For example, Sutter Health was hit with a $1 billion class-action suit, and TRICARE Health Management was sued for $4.9 billion.
Operational expenses – These costs can vary, depending on whether the breach was intentional or non-intentional – and whether it involved malice. If employees are fired for security violations (like those fired for snooping into Kim Kardashian's records at Cedars-Sinai Medical Center), there's the cost of hiring and training replacement employees. Some providers do a major reorganization following a breach, which can also be costly.
Clinical considerations – When the confidentiality, integrity and availability of patient records are compromised, it becomes a significant patient safety issue. Hackers now have the ability to alter a patient's medical record or make it unavailable via ransomware, which can lead to delayed or inaccurate diagnoses that can be fatal. A breach may also cause an organization to process fraudulent medical claims – and can produce faulty data in research projects. These can in turn cause an organization's quality scores to plummet.
When a provider weighs all these factors, the true cost of a healthcare data breach is about $700 per compromised record. If 10,000 records are breached, that's a true cost of $7 million.
That's why it's vitally important for healthcare organizations to conduct a bona fide risk analysis – and to implement safeguards and controls gleaned from that analysis. Taking this important step can dramatically reduce the risk of a breach ever occurring – and can provide that protection at a fraction of the cost associated with a breach.
According to industry reports, Anthem has exhausted its $100 million cybersecurity policy cap just from that single breach in 2015 – and the costs keep mounting. Most healthcare organizations can't afford a devastating blow like that. Just by calculating the potential cost of a data breach at your organization, it should be relatively easy to get the funding needed for a thorough risk assessment that can greatly reduce your breach exposure.
Bob Chaput, CEO and Founder, Clearwater Compliance
i Published in The Financial Impact of Breached Protected Health Information sponsored by ANSI; http://webstore.ansi.org/phi/
The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.
© Copyright ASC COMMUNICATIONS 2017. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.