The True Cost of One Healthcare Data Breach

By: Josh Mayfield | 8/30/2018

IT leaders are reinventing their infrastructures to support a mobile workforce and a complex array of connected devices. Against this backdrop of increased mobility and connectivity, healthcare IT is tasked with meeting compliance challenges in an intricate and transformational regulatory environment. With a host of new data protection regulations and increasingly high settlement fees for data breaches, data security has never been more important to healthcare organizations.

Protected Health Information (PHI) is becoming increasingly attractive to cybercriminals with health records now fetching more than credit card information on the black market. According to Forrester, a single health record is worth an average of $20 on the black market while a complete patient dossier with driver’s license, health insurance information, and other sensitive data can sell for up to $500.

While healthcare data security measures are improving, workforce mobility complicates these efforts with 33 percent of healthcare employees working outside of the office at least once a week. As government incentives call for more care to be delivered away from hospitals, we can only expect the mobile workforce to grow.

Data Breach Settlement With Minnesota AG

One of the most destructive data breach cases of the past few years involved a Chicago-based medical billing and revenue management services company. In July 2011, an employee of the organization left an unencrypted laptop containing the PHI of 23,500 patients inside a rental car, which was subsequently stolen, never to be recovered. Data on the laptop included patient names, dates of birth, social security numbers, billing information, and medical diagnostic information. Although there has been no report of any unauthorized use of the data to date, the incident caught the attention of Lori Swanson, Minnesota’s Attorney General, which led to a wider investigation into the company’s business practices in the state.

The FTC alleged that the organization failed to:

  • Provide appropriate security measures to protect consumers’ personal information
  • Employ reasonable procedures to ensure that personal information be removed from computers when it is no longer needed
  • Adequately restrict employee access to personal information based on an employee’s need for the information

Healthcare Data Breach — The Consequences

In July 2012, the healthcare organization in question settled the HIPAA / HITECH complaint instituted by the Minnesota Attorney General for $2.5 million but that was just a fraction of the overall cost to the business. The organization agreed not to conduct business in the state of Minnesota for a minimum of two years and up to six years. The decision of when it may resume business after the first two years is at the sole discretion of the Attorney General.

The impact this case has had on the organization’s bottom line is significant — revenue losses from the state of Minnesota alone are estimated at $22 to $25 million per year. The case also prompted two more federal investigations, including a Senate hearing, and a class action lawsuit by shareholders which was settled in September 2013 for $14 million.

This particular settlement is an important reminder that the Office for Civil Rights (OCR) is not the only enforcer of health information, privacy, and security regulations. While not as common, the FTC can also exercise its authority to find a lack of data security as an unfair or deceptive trade practice under Section 5 of the FTC Act. The need for healthcare organizations to remain compliant with HIPAA not only protects them from HIPAA auditors, it also ensures they are not exposed to additional enforcement actions from other regulatory and government bodies.

In total, this data breach resulted in direct costs in excess of $60 million in fines, penalties and lawsuit settlements. This does not include the legal fees, the cost of the new security protocols and audits, nor the lost revenue — all from the loss of a single laptop.

Data Security Compliance

The case against Minnesota AG offers frightening insight into the consequences of human error. If the organization had the correct security policies and solutions in place, the employee would have reported the loss of the laptops and IT could have taken appropriate measures such as:

  • Freezing the device so it becomes unusable
  • Remotely deleting the data
  • Retrieving data from the device
  • Tracking the device using geolocation
  • Running reports to prove compliance (data delete logs, encryption status reports, whether data was accessed by unauthorized users)

If this organization could have developed sufficient evidence of a “low probability” that PHI had been accessed or transferred by unauthorized persons, HIPAA-HITECH statues and regulations hold that there would have been no breach to report.

Leveraging Persistence Technology To Ensure Regulatory Compliance

IT is tasked with securing masses of PHI stored on devices portable enough to reside in an employee’s pocket —devices that are frequently lost or stolen. Tablets, smartphones and other ultra-portable devices have presented a unique challenge for IT.

The Absolute platform relies on patented Persistence technology. Persistence is embedded into the core of most computers, tablets, and smartphones at the factory. Once activated, it provides you with a reliable two-way connection so healthcare organizations can confidently manage mobility, investigate potential threats, and take action if a security incident occurs.

For more on the costs of health care data breaches, download the whitepaper The Cost of a Data Breach: Healthcare Settlements Involving Lost or Stolen Devices.

Financial Services