Top health care data breaches: Costs and physician accountability

The incidence and costs of health-care data breaches are staggering. Last month, Anthem paid a record $16 million settlement for a data breach that occurred in 2015—the largest breach and the largest fine to date. But such hefty penalties and ensuing costs are not limited to large health-care corporations. Physicians in solo or smaller group practices will also be held accountable.

Consider that, currently, a full 26% of US consumers have had their personal medical information stolen from technology systems. Among those, 50% were victims of medical identity theft, according to a survey of over 2,000 US consumers from Accenture.

Breaches occurred in hospitals (36%), urgent-care clinics (22%), pharmacies (22%), physician’s offices (21%), and health insurers (21%). Only 33% of victims, however, were alerted by the organization where the breach occurred, while the rest of the victims found out from other sources.  

But despite these breaches, significantly more of all consumers still trust their health-care providers (88%) and payers (82%) to keep their data secure compared with trusting health technology companies (57%) or the government (56%).

Almost all of the victims took action, with 25% changing their health-care provider, 21% changing their insurance plan, and 19% seeking legal counsel.

Top breaches of 2018 so far

Through August 2018, 229 data breaches have occurred, affecting 6.1 million individuals, according to HealthcareInfoSecurity. These breaches have been submitted to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) for investigation, as required since 2009 for all HIPAA-covered entities experiencing a breach affecting over 500 individuals.

Ninety-one of the breaches reported since the beginning of 2018 through August were listed as hacking/IT incidents that affected 4.3 million people; 91 as unauthorized access or disclosure breaches affecting 803,000; 41 as theft or loss affecting 677,000; 6 as improper disposal affecting 330,000; and the remainder listed as unencrypted computing devices affecting 80,000.

As of October 23, these are the top 5 data breaches in 2018:

1. Iowa Health System d/b/a Unity Point Health, IA: 1,421,107 individuals (hacking/IT)
2. Employees Retirement System of Texas, TX: 1,248,263 individuals (unathorized access/disclosure)
3. California Department of Developmental Services, CA: 582,174 (hacking/IT)
4. MSK Group, TN: 566,236 (hacking/IT)
5. LifeBridge Health, Baltimore, MD: 538,127 individuals (hacking/IT)

Calculating the costs

Data breaches cost the health-care industry about $6 billion each year, according to estimates from Experian.

In October, Anthem was fined $16 million to the OCR to settle HIPAA violations after a series of cyberattacks. The breach exposed the protected health information of nearly 79 million people. This is the largest health data breach in US history, and the largest HIPAA settlement in history.

But what about physicians in solo or medical practices? Surely, these numbers don’t apply to them.

Experts say that smaller medical practices are still vulnerable and may be targeted specifically because they are less likely to have as many security protocols in place as large hospitals and health-care systems.

Further, all practices—big and small—are liable for all security breaches, and data breaches can still have a huge monetary impact. The cost of health-care data breaches, according to a report from IBM and the Ponemon Institute, is $408 per record—the highest of any industry for the eighth straight year. But when calculating the possible costs of such a breach, five categories of costs to consider include reputational, financial, legal/regulatory, operational, and clinical.

Reputational repercussions include the loss of patients, both current and new, the loss of strategic partners, and the loss of staff. Financial repercussions include the costs of remediation, communication, deductibles, increased insurance coverage, and switching to new vendors.

Legal and regulatory repercussions include fines and penalties from the OCR and the state, the loss or need to reestablish accreditation, and the possible costs of a potential lawsuit. Operational repercussions include the costs of new hires and reorganization. Finally, clinical considerations include the fraudulent claims that may have been processed, delayed/inaccurate diagnoses, and bad data for research.

When all is said and done, the true costs of a data breach could far exceed $700 per record.

The HIPAA Omnibus rule, effective March 2013, allows HHS to impose a fine of up to $1.5 million per incidence. This law requires providers to report breaches involving as few as 501 patients, which has a definite impact on small practices. This also unleashes the possibility of a class action lawsuit.

For physicians in solo or group medical practices, each HIPAA violation could cost between $100 and $50,000 per patient record if strong security measures are not in place. Furthermore, even smaller practices can face lawsuits and associated expenses once the local media uncovers any data breach. Finally, the damage to the practice’s professional reputation could significantly impact revenue by causing patients to seek treatment somewhere else.

Not only do state and federal authorities have to be notified, but each patient affected by the breach must also be notified individually. This costs roughly $4 per patient. Add this to the cost of providing patients with credit-monitoring services to detect identity theft, which is about $10 per patient, and multiply these by the total number of patients in a practice.  

The bottom line is that everyone responsible for patient record security—both large and small—will be held accountable.