1 Way HIPAA Breaches Might Start Costing You More Than a Fine

With the number of HIPAA breaches seemingly increasing at an alarming rate there may be a new trend in financial responsibility for the healthcare practice or business associate that is breached.

Most healthcare practices focus on HIPAA best practices (sometimes a little too late) to avoid fines from the HHS.  Many don’t consider other repercussions such as:

• Damaged Reputation
• Loss of Clients
• Increase Insurance Premiums
• Continued OCR Monitoring
• Cost of Implementing Changes

And until recently most didn’t concern themselves with being sued after a HIPAA breach.

That looks to be changing.

Here’s a list of reported lawsuits stemming from HIPAA breaches.  Some of these cases are a few years old but the lawsuits were all submitted this year.

• Kalispell Regional Healthcare in Montana is being sued over a phishing attack in which hackers gained access to employee email accounts containing the protected health information of almost 130,000 patients.
• Solara Medical Supplies Sued Over 114,000-Record Data Breach
• A class-action lawsuit has been filed against UConn Health, over its reported phishing attack that potentially breached the data of 326,000 patients.
• A class-action lawsuit accuses the UChicago Medicine and Google of violating patient privacy, by sharing thousands of patient records – without removing personal identifiers, according to a New York Times report.

It seems patients, that is clients of healthcare practices and ancillary services, are growing weary of breach after breach.

HIPAA Compliance is not optional.  Many practices are not taking protecting PHI seriously enough.  Many patients and clients feel the Department of Health and Human Services fines and settlements are not punitive enough.

Imagine a healthcare system with tens of thousands of patients paying a $3 million fine.  It’s a drop in the bucket for them.

Healthcare Clients Have Had Enough of the Lack of HIPAA Compliance

Patients and clients almost never receive any compensation for their PHI being compromised.  If they do its usually credit monitoring for a year or 2.

To add to the frustration many of the HIPAA breaches are avoidable.   In at least two, probably three, of the cases above the attacker gained access via phishing.  Phishing can be mitigated with stronger password policies, the use of MFA, advanced threat protection and education.

The remaining case involving Google is due to the University of Chicago Medicine sharing patient records with Google without removing personal identifiers.  What makes this interesting is it was recently announced that Google is working with Ascension on a project involving PHI.

HIPAA Compliance Cost Analysis

This is a quick and dirty cost analysis of a HIPAA Breach Versus HIPAA Compliance.

Currently, the average cost of a HIPAA breach is $408 per record.  Many practices have 10,000 records or more (smaller practices).  That means a HIPAA breach could cost an average healthcare provider a little over $4,000,000.

Chances are if the breach is not due to negligence the HIPAA settlement will be far less.

Let’s say the settlement is $100,000.

This does not take any of the following into consideration:

• Reputation Loss
• Client Loss
• Change and Technology Implementation
• Potential for Lawsuit

Let’s leave it at $100,000 for the sake of argument.

If the practice has 20 employees, it will take almost 2 years to exhaust a budget of $100,000 for IT and HIPAA compliance*.

Healthcare Providers Cannot Afford to Be Out of HIPAA Compliance

Many healthcare providers argue that the cost of hiring a qualified IT consultant and a HIPAA consultant (or an IT consultant who can also provide HIPAA consultation) is too high.

The truth is the risk and potential financial burden of not having a qualified IT consultant and HIPAA consultant is much higher.

Factor in the potential for class-action lawsuits (a very real potential in a litigious society) and the risk and cost are much higher.

Many of the HIPAA breaches are preventable.  Some might see these breaches as negligence.  A phishing attack is preventable with MFA.  Theft is mitigated by encryption.  A court of law might see these are negligence if they’re not in place.

A class-action lawsuit has the potential for being far more damaging financially than a HIPAA settlement.

Time to get your ducks in a row.

*Support Costs Vary Depending on the Healthcare Provider’s Requirements & Support Provider Rates.  This analysis is based on the average price per user at the time of this article.