News & Blog

The Costs Of Data Breaches And Violation Against HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) is a regulation for healthcare providers to keep patient healthcare information (PHI) protected. Despite it being 20 years since the passing of HIPAA, there has been a continuous stream of PHI breaches. When a data breach does occur, a healthcare provider usually suffers huge damages in fines, loss of credibility, as well as money for related lawsuits.

Read: The Three Safeguards of the HIPAA Security Rule Summarized

In the event a breach does occur, the office of Civil Rights (OCR) for the Department of Health and Human Services (HHS) investigates in order to discern the cause and whether or not the breach was caused by willful neglect. During this process, the covered entity must provide a settlement payments and a resolution agreement that covers their concrete action plan as well as a proposal for updating policies and procedures so that breaches of the same nature will not happen again in the future. The OCR then monitors their activity for a general period of 3 years to make sure they are performing their agreed upon obligations. If it is discovered that the covered entity is failing to meet the agreed upon resolution obligations, it can result in large civil money penalties for noncompliance.

The HHS provides some example settlement cases as well as resolutions agreements for those cases. From the 23 separate cases that the HHS has provided, settlements totaled $25.9 million which averages out to around $1.2 million per case. The cases are summarized in the table below:

Date

Enity name

settlement

# of affecting individuals

case

​​06-23-14​

Parkview Health System

$800000

5,000-8,000

Medical record dumping

05-07-14

New York and Presbyterian Hospital

$3,300,000

6,800

digital data open to search engine

05-07-14

Columbia Univ.

$1,500,000

6,800

digital data open to search engine

04-22-14

Concentra Health Service

$1,725,220

N/A

stolen laptop

04-22-14

QCA Health Plan Inc.

$250,000

148

stolen laptop

03-07-14

Skagit County

$215,000

1,581

open to public accessible server

12-20-13

Adult & Pediatric Dermatology

$150,000

2,200

stolen thumb drive

08-14-13

Affinity Health Plan

$1,215,780

344,579

not deleted photo copier HDD

07-11-13

Wellpoint

$1,700,000

612,402

accessible to unauthorized individuals over the internet

07-12-13

Shasta Regional Medical Center

$275,000

N/A

intentional disclosing to multiple media outlets

05-21-13

Idaho State University

$400,000

17,500