When Healthcare Organizations Can't Pay For Breaches
By Christine Kern, contributing writer
Latest attacks demonstrate the ripple effect of ransomware and other breaches.
It is no secret healthcare is increasingly being targeted by cybercriminals who want to obtain valuable protected data and extort money from the affected organizations. According to data from the Ponemon Institute, 91 percent of healthcare organizations saw at least one data breach over the past two years, with more than 60 percent of hospitals lacking a breach response plan. In fact, security firm Solutionary found healthcare organizations are 114 times more likely to be attacked than financial institutions. As the threat of ransomware escalates, a pair of lawmakers are pushing for required patient notification in the wake of cyber attacks.
When a breach occurs, the standard response is to provide credit monitoring from six months to a year following the announcement at no cost to the affected parties. But what happens if the targeted healthcare organization can’t afford to pay up?
This happened at Athens Orthopedic Clinic, where officials said they can’t afford to pay for extended credit monitoring for the nearly 200,000 patients affected. CEO Kayo Elliot explained providing the monitoring would cost millions and could potentially put the clinic out of business.
“Many patients are upset and frustrated with the situation,” Elliot explained, “And of course, they wish we could play for extended credit monitoring. So do we. We truly regret that we are unable to do so, as we are not able to spend the many millions of dollars it would cost us to pay for credit monitoring for nearly 200,000 patients and keep Athens Orthopedic as a viable business. I recognize and I am truly sorry for the position this puts our patients in.”
The data breach occurred on June 14 when hackers used log-in credentials belonging to a third-party vendor to access clinic medical records. When the breach was discovered, Athens Orthopedic terminated the relationship with the vendor, notified law enforcement, hired a cybersecurity team to prevent future incidents, and informed patients of their potential for compromised records.
In the wake of the attack, some 500 patient records from Athens Orthopedic were actually put up for sale on the black market by hacker group the Dark Overlords, according to Healthcare Finance News. Among the information for sale was Social Security numbers, dates of birth, phone numbers, and medical records. The Dark Overlords have previously accessed and offered for sale some 9.3 million patient records obtained from various health information databases.
While organizations are required to report breaches to government agencies and notify potential affected customers, there is no regulation specifying they must pay for credit monitoring for those affected. While the practice is good customer service, it is not a requirement.
So what happens when an affected healthcare provider can’t afford to do it, as is the case with Athens Orthopedic? This demonstrates the ripple effect such breaches can cause with an impact not only on the patients whose records might be stolen, but also on the healthcare facility’s reputation and retention of clients as a result of weakened faith in the provider.