data breach costs report magnifying glassEverywhere we turn this year we are dealing with chaos and stress. Can we all just sing Kumbaya and make it go away? If it was only that easy.   Just because craziness has happened doesn’t mean HIPAA goes out the window. As we all try to navigate the unknown we can not forget that the criminals thrive on chaos like this. If you aren’t protecting your information a data breach becomes almost inevitable. It is important to understand the data breach costs you are looking at when one occurs.

A 5 star review is all we ask from our listeners.
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy.

In this episode:

Data Breach Costs Continue Rising – Ep 267

Share Help Me With HIPAA with one person this week!

Thanks to our donors.  We appreciate your support!

If you would like to donate to the cause you can do that at

Like us and leave a review on our Facebook page:

HIPAA Say What!?!

This one comes from OCR themselves. Just released yesterday. It claims HIPAA has “mandatory” risk assessments must be done and the way to do it is to contact these people. HIPAA Say What!?!

Alert: Postcard Disguised as Official OCR Communication

August 6, 2020

OCR has been made aware of postcards being sent to health care organizations disguised as official OCR communications, claiming to be notices of a mandatory HIPAA compliance risk assessment.  The postcards have a Washington, D.C. return address, and the sender uses the title “Secretary of Compliance, HIPAA Compliance Division.” The postcard is addressed to the health care organization’s HIPAA compliance officer and prompts recipients to visit a URL, call, or email to take immediate action on a HIPAA Risk Assessment.  The link directs individuals to a non-governmental website marketing consulting services.

The postcard below is not from HHS/OCR.

pasted image 0 3


HIPAA covered entities and business associates should alert their workforce members to this misleading communication.  This communication is from a private entity – it is NOT an HHS/OCR communication.  Covered entities and business associates can verify that a communication is from OCR by looking for the OCR address or email address on any communication that purports to be from OCR.  The addresses for OCR’s HQ and Regional Offices are available on the OCR website at, and all OCR email addresses will end in  If organizations have additional questions or concerns, please send an email to:

Suspected incidents of individuals posing as federal law enforcement should be reported to the Federal Bureau of Investigation. 

Years ago I think someone else pulled this stunt. Things are not going to go well for these people. They may be FB Certified HIPAA Experts but they clearly have just enough knowledge to get themselves in trouble. I doubt OCR will be nice to them if they really did get some business from this FUD mailing. The scare tactics like these create a list of problems. 1 – Spreads misinformation about HIPAA requirements, 2 – Implies that OCR is involved here, 3 – Anyone who actually falls for it will pay a premium for what will likely be inadequate services.


[17:38]Police are looking into this one. I guess we know who has finally learned this is not a joke. X-rays of male genitalia may have been shared online by central Pa. imaging employee: police

pasted image 0 2

Data Breach Costs Continue Rising

[27:25]The latest version of the Annual Cost of a Data Breach Report from Ponemon Institute. This is the 15th year they have done the report. IBM sponsors it now. There wasn’t much big news in there from a healthcare perspective. The numbers keep going up in this one just as it usually does.

data breach costs centers

pasted image 0 4

pasted image 0

Of course, 2020 must include a cost factor for COVID related issues. They have added a special category for increased costs due to adjustments made for the pandemic. $137,000 is designated at an additional cost expected due to the volume of remote work this year.

pasted image 0 6

[37:17]But, we use this report for more data than just the total costs. This report is one that we use to set priorities. It lists the things you can do to “Amplify” or “Mitigate” the costs of the breach. Many people debate the numbers on the totals or by record but very few will argue that the cost factors aren’t pretty accurate.

pasted image 0 5                                pasted image 0 5

[39:42]And guess what, this report tells us some good ideas!  An important one is that you can’t just throw money at the problem. If you don’t spend the money in the right way it really doesn’t help, according to this report. The number one way to make data breach costs worse is to have complex security systems.

Security skill shortage is another issue. If you have folks making systems complex and then you don’t have people with the skills to monitor everything plus keep it up and running you are wasting your money and shooting yourself in the foot, right?

Testing incident response plan, having a business continuity plan, and actually having an incident response team are the top three ways to mitigate your data breach costs. You know what else is near the top? Employee training!

Tune in to the audio for the full rundown we cover about the data in the report. But one point that I want to make clear is yes, the costs are increasing and were already expensive. However, this report shows that the ways to make it worse tend to involve throwing money at the problem without a plan. The ways to make it better are the things not on most management radars when they think about building a secure environment.

We believe that making business decisions based on solid data and information is essential to our success. Data like this is invaluable in helping us make proper decisions for our business and advise our customers as well.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word.  As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Special thanks to our sponsors Security First IT and Kardon.