The minimum fine for a HIPAA violation of willful neglect is $1.5 million, but often in healthcare breaches organizations are charged with multiple violations. Additionally, hospitals face other financial burdens following breaches, such as loss of business, class-action lawsuits and even notification fees, which surprisingly can account for the largest sum.
For example, after Indianapolis-based Anthem reported hackers gained access to its server and compromised the information of nearly 80 million people, the cost of informing all affected parties by first class mail totaled approximately $40 million. Other reports suggest the total costs Anthem faces for the breach will exceed $100 million.
Anthem does have cyber insurance, according to CBS-affiliate site ZDNet, but the cost of the breach is likely to exceed its coverage.
The same is true outside of healthcare. In 2013, retail giant Target suffered an online attack where hackers stole credit and debit card information of 40 million customers. Target has a cyber insurance policy covering approximately $90 million, but all in all the breach will cost approximately $252 million, leaving a significant balance for the organization to sort out, according to the report.
However, the report suggests the cyber insurance market is growing, and cyber insurance companies will expand their coverage options.
“I suspect, over time, the willingness of insurers and by others in the industry to provide greater capacity will increase with greater comfort in the maturity of the countermeasures,” said Peter Hancock, CEO of American International Group, according to the report.
More articles on data breaches:
Four areas your healthcare organization’s data may be exposed
Anthem to send last set of breach notifications by Monday
Premera faces multiple class-action lawsuits over data breach
