News & Blog

The Costs Of Data Breaches And Violation Against HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) is a regulation for healthcare providers to keep patient healthcare information (PHI) protected. Despite it being 20 years since the passing of HIPAA, there has been a continuous stream of PHI breaches. When a data breach does occur, a healthcare provider usually suffers huge damages in fines, loss of credibility, as well as money for related lawsuits.

Read: The Three Safeguards of the HIPAA Security Rule Summarized

In the event a breach does occur, the office of Civil Rights (OCR) for the Department of Health and Human Services (HHS) investigates in order to discern the cause and whether or not the breach was caused by willful neglect. During this process, the covered entity must provide a settlement payments and a resolution agreement that covers their concrete action plan as well as a proposal for updating policies and procedures so that breaches of the same nature will not happen again in the future. The OCR then monitors their activity for a general period of 3 years to make sure they are performing their agreed upon obligations. If it is discovered that the covered entity is failing to meet the agreed upon resolution obligations, it can result in large civil money penalties for noncompliance.

The HHS provides some example settlement cases as well as resolutions agreements for those cases. From the 23 separate cases that the HHS has provided, settlements totaled $25.9 million which averages out to around $1.2 million per case. The cases are summarized in the table below:

Date

Enity name

settlement

# of affecting individuals

case

​​06-23-14​

Parkview Health System

$800000

5,000-8,000

Medical record dumping

05-07-14

New York and Presbyterian Hospital

$3,300,000

6,800

digital data open to search engine

05-07-14

Columbia Univ.

$1,500,000

6,800

digital data open to search engine

04-22-14

Concentra Health Service

$1,725,220

N/A

stolen laptop

04-22-14

QCA Health Plan Inc.

$250,000

148

stolen laptop

03-07-14

Skagit County

$215,000

1,581

open to public accessible server

12-20-13

Adult & Pediatric Dermatology

$150,000

2,200

stolen thumb drive

08-14-13

Affinity Health Plan

$1,215,780

344,579

not deleted photo copier HDD

07-11-13

Wellpoint

$1,700,000

612,402

accessible to unauthorized individuals over the internet

07-12-13

Shasta Regional Medical Center

$275,000

N/A

intentional disclosing to multiple media outlets

05-21-13

Idaho State University

$400,000

17,500

disabling of firewall protection

12-30-12

The Hospice of North Idaho

$50,000

441

stolen laptop

09-17-12

Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates Inc.

$1,500,000

N/A

stolen laptop

06-26-12

Phoenix Cardiac Surgery

$100,000

N/A

Publicly accessible clinical and surgical appointment

03-13-12

Blue Cross Blue Shield of Tennessee

$1,500,000

1,000,000+

stolen hard drives(57)

07-06-11

UCLA Health System

$865,500

N/A

unauthorized employees can access to PHI

02-14-11

The General Hospital Corporation and Massachusetts General Physicians Organization, Inc.

$1,000,000

192

loss of document

02-04-11

Cignet Health of Prince George’s County

$4,300,000

N/A

denying 41 patients access to their medical records

12-13-10

Management Services Organization Washington, Inc.

$35,000

N/A

used the information for marketing purposes

07-27-10

Rite Aid Corporation

$1,000,000

N/A

disposed of prescriptions and labeled pill bottles

01-16-09

CVS Pharmacy, Inc.

$2,250,000

N/A

disposed of prescriptions and labeled pill bottles

07-16-08

Providence Health & Services

$100,000

386,000

loss of electronic backup media and laptop computers

Total

$25,931,500

As seen by the table, data breaches occurred in both small and large covered entities and even public government organizations such as the Skagit County Government case. There was even a case where, for the first time, there was a settlement where less than 500 individual patients were involved for $50,000. To put it simply, breaches are independent of the size of the firm and the HHS is cracking down on relatively smaller sized breaches as well. So it is important to be aware of even the smallest chances of having a security breach in order to be able to effectively prevent or respond to it.

Read: The Primary Threats to Data Breaches of Protected Healthcare Information (PHI)

Also, around 2012, the breach cases start to be ePHI related breaches which is most likely due to the HITECH Act, which pushed for the transition to electronic health records by 2014. Many of these breaches involve easily avoidable situations such as losing unencrypted laptops and USB flash drives, improperly disposing of data, and technical mishaps such as leaving ePHI open to the public. Simple dumb mistakes can be extremely costly for covered entities with settlements that can be well over a million dollars.

Also, the HHS only disclosed information in regards to the settlement amount and does not mention the other costs associated with HIPAA data breaches. According to Ponemon Institute’s Fourth Annual Benchmark Study on Patient Privacy & Data Security, the average cost per data breach was approximate $2 million (which is almost double average settlement amount from the above table) with a potential cost for the entire healthcare industry at $5.6 billion annually. Some examples are the costs for the investigation after a breach, costs to prepare and implement the proposed action plan, cost of implementing new technology, or even the damages caused to a covered entities reputation. So simply put, the settlement is only the tip of the iceberg for costs associated with HIPAA breaches.

Despite HIPAA being in place, covered entities are still having issues with ePHI associated data breach. Many, if not all, of these cases could have been easily prevented, saving the covered entity millions in settlement costs and associated costs. So instead of paying millions for data breach recovery, why not simply encrypt all data and storage devices? Why not just restrict unauthorized people from accessing data? Why not just wipe data off old devices? Why not just properly train employees? In the long run, it would be easier to do and would be a much more cost-effective option.

Blogs relating to HIPAA
Ways to Prevent HIPAA Data Breach by Insiders
Insiders: the Most Frequent Reason for HIPAA Data Breach
The Primary Threats to Data Breaches of Protected Healthcare Information(PHI)
The Three Safeguards of the HIPAA Security Rule Summarized

Share on facebook
Share on linkedin
Share on twitter