gtag('config', 'AW-803824614');

The True Costs of a Breach: Much more than you might think 

By Susan M Lucci, RHIA, CHPS, CHDS, AHDI-F and Joseph D. Gradecki

Any breach of protected health information (PHI) is a serious issue. In recent years, healthcare organizations have been targeted by cybercriminals due to the high value of PHI. As of March 31, 2017, over 1,890 large breaches have been reported to the Department of Health and Human Services (HHS) since reporting began in 2009. Hacking is directly responsible for more than 75 percent of all patients whose PHI has been compromised. Large breaches present a huge financial impact to the facility involved and the associated costs can mean devastating financial losses.

After a large breach occurs, a pattern of events takes place: patients are notified and typically provided with credit monitoring, internal resources are tasked with managing the situation for inevitable questions that will arise, the media is notified and details must be posted on the hospital’s website. Depending on the size of the breach, an independent third-party team could be hired to help manage the breach reporting and recovery process. Subsequently, a report must be filed with HHS no later than 60 days after the breach is discovered. This breach report triggers an investigation process by the Office for Civil Rights (OCR). 

The fallout from the breach doesn’t end after notification processes are complete. Once the investigation is complete, should the OCR determine that something was missing in required compliance activities such as a missing policy, lack of a business associate agreement, or serious issues like an improper or missing security risk analysis, a Corrective Action Plan (CAP) will be provided along with the resolution agreement that includes the amount of the fine. For example, a large University Health System was fined $750,000 for a breach three years ago, and they are currently working through a corrective action plan. 

Most CAPs take about 2-3 years for fulfillment and require third party evaluation of the recommended actions that must take place. Additionally, documents must be provided on demand at prescribed intervals and they must meet the OCR’s approval. If they do not meet requirements, they will be rejected and further revisions will be necessary. All of which serves to prolong the CAP timeframe. It is reasonable to determine, based on the fines accompanying recent breaches, that a large breach could cost several million dollars before the process is complete.

At the end of the day, healthcare providers and business associates must adequately prepare ahead of time before a breach takes place. Facilities must diligently apply layered security methods including encryption to keep PHI as safe as possible. The continual evaluation of risk and risk mitigation efforts must be managed intentionally as new security threats will not wait for your next scheduled review – they are taking place daily.

Jones-Sanborn, B. Breaking down the financial toll of healthcare data breaches. 16 March 2017. Healthcare Finance. Accessed 26 March 2017.