We talked about OCR audits recently because they are in the news. The audit protocol is a perfect guide for developing and maintaining your HIPAA compliance programs. In fact, the audits have been a hot topic in the industry this month. However, the fact that only 200 audits will take place really means the audit protocol is more important as a guide for what your program should look like in the event you have a breach or complaint investigation. Statistically, you are much more likely to need it for that reason. We were thinking what does a data breach cost? So, in the episode we are going to talk about how you can determine what the cost of a data breach might look like for you.
What does a data breach cost?
There are a lot of line items to consider when you attempt to estimate what a data breach might cost your organization.
Cost line items
- ID theft and repair plus credit monitoring
- Regulatory fines
- Disruptions in normal business operations
- Lost business
- Class-action lawsuits
- Legal and consulting fees to manage all of the above
These are just a few of the line items you have to consider when you are doing your own calculation for what a data breach costs in your organization.
Breach Costs Calculator results
- 2350 patients with data stored in a centralized location. No actual fraud is expected but the breach occurred, no PCI compliance issues, no lawsuit has been filed. Notifications required and include 1 year credit monitoring
- Investigation $130,940
- Crisis Management and Notification $48,376
- Sanctions and fines $985,000
- Total costs – $1,164,316 or $495 per patient record.
- 1000 patients and it doesn’t go down as much as you think….
- Investigation $130,400
- Crisis Management and Notification $32,075
- Sanctions and fines $850,000
- Total costs – $1,012,475 or $1,012 per patient record.
500 at least gets under 1 million – $962,488. The number of patients involved doesn’t change the costs a great deal to investigate and deal with the issues.
Other costs not in calculators
Portal Healthcare Solutions
A BA, exposed 2,300 records on the internet. Patients found their own records via a Google search of their names. But, this was back in 2012/2013. Traveler’s Insurance is arguing that they don’t have to cover the class-action lawsuit filed against them by the patients.
It has gone all the way to the Federal Appeals Court. Travelers says their commercial general liability insurance policy doesn’t cover the breach. Portal says it does: That section of the policy provided coverage if Portal was obliged to pay damages as a result of the “electronic publication of material” resulting in “unreasonable publicity to a person’s private life.”
Who do you think is paying for lawyers, etc.?
FBI figures suggest that in the first 3 months of 2016, $209 million was extorted from U.S companies. The total for 2015 was only $25 million.
Facebook Ad Campaign
Lawsuit names Facebook, Adventists Health System, the American Cancer Society, the American Society of Oncology, BJC Healthcare, the Cleveland Clinic, the Melanoma Research Foundation, and University of Texas MD Anderson Cancer Center, according to the Courthouse News Service.
Lawsuit claims that after cancer patients visit the providers websites they start getting ads showing up for cancer treatment in their Facebook feeds. The suit claims that is a violation of HIPAA and other statutes.
Everyone has their hands up in the air saying I didn’t do it! This goes back to website security and the importance of knowing what is going on with your website.
So, what does a data breach cost in your business? Every business is different. But, one thing is the same for everyone. They rarely have considered everything that actually comes up when dealing with a data breach.