The True Cost of a HIPAA Breach
Richard Wagner, JD | September 22, 2013
Another week, another data breach. On September 10th, healthcare behemoth Kaiser Permanente sent out a letter to 670 patients, notifying them that their PHI had been impermissibly emailed out of network. But in light of all these recent data breaches and security failures, one might ask, “who cares?” If fixing the issue is as simple as writing an apology letter like Kaiser did, why go through all the hoops of encryption and access control and HIPAA compliance? After all, HHS still has the ultimate discretion of whether to assess penalties, right?
Well, if the only cost was paying a fee to HHS, this analysis would be correct. Unfortunately for providers, the true cost of a data breach typically dwarfs any sort of HIPAA or regulatory fine.
In a white paper put out earlier this year by tech company Symantec, a global analysis yielded that the average cost of a US data breach fell just a shade under $200 per record compromised, which aligns with other studies done on the subject. If this number seems high, it’s because it is. The $200/record figure takes into account the cost of notifying individuals, providing credit monitoring services to them for the next decade or two, and various other costs associated with remedying the event.
Think about that number again. $200 per person! That means that for each of the four laptops that were stolen from Advocate earlier this summer – with their one million of patient records stored on each – each mobile device represented, on average, about $200 million in potential liability to the health system. This number is truly astounding. Put another way, the liability risk for each laptop more or less equated to the asset price of the hospital building they walked out of.
To make matters worse, some could argue that $200/person mark represents a low estimate of the true total cost of a data breach. If an entity was particularly negligent, it could invite a class action lawsuit where the plaintiffs can and have asked for upwards of $1,000/record. Moreover, the $200/record figure doesn’t take into account the negative publicity and the effect that this could have on a publically traded healthcare company. Just ask CVS.
The scariest part of all of this is that many providers don’t understand the magnitude of the risks they are taking by skipping some of the HIPAA regulations. Sure, you could get caught by HHS under HIPAA and get penalized for not using secured email or secure text messaging, and you might have to pay a hefty fine as a result. However, the much bigger risk is having an IT failure and letting thousands of records walk out of your facility in a heartbeat. The real cost of that sort of an event will blow the regulatory fine away.