By Laurie Zabel, Director of Coding & Compliance, MedSafe
Healthcare data breaches cost the U.S. healthcare industry nearly $6.2 billion each year. In fact, healthcare has the highest cost per breached record of any industry. Why? Healthcare is extremely attractive to hackers because medical records include everything they need: names, Social Security numbers, date of birth, credit card information, insurance information, protected health information (PHI), and more.
For both patients and organizations, costs associated with a healthcare breach are astounding. Victims of medical identity theft spend on average $20,000 in out-of-pocket expenses. What is more difficult to equate is the additional consequences such as damage to credit, financial stability, loss of insurance, or worse — receiving the wrong type of care due to tampered medical files.
Healthcare organizations spend roughly $1 million per year, per firm, on data breaches. However, this number varies greatly. According to industry reports, Anthem spent nearly $100 million from a data breach in 2015, and the costs keep coming. Though, industry experts have placed the cost per breached record at $402, what is harder to measure are other costs involved such as reputational damage, financial impact, legal and regulatory repercussions, operational expenses, and clinical considerations. One report on Becker’s Hospital Review estimated the real cost per breached record at nearly $700 per medical record. The report measured and provided further detail on the true costs involved with each category:
- Reputational — Reputational damage within a small community can often be difficult to recover from. In one study, nearly 7 percent of patients said they would likely change providers after a data breach.
- Financial — The financial costs include fixing security issues, remediation/mitigation, switching vendors, notifying those patients affected and providing free credit monitoring, and much more.
- Legal and regulatory — These costs include fines and penalties, reestablishing accreditation, and lawsuits. Civil penalties can cost up to $50,000 per breach, while repeat violations can be up to $1.5 million. Class-action lawsuits are also very costly.
- Operational —Operational costs can vary, including the cost of retraining employees or hiring new employees. Costs of increasing IT staff and support if necessary, replacing systems, implementing new processes.
- Clinical — When patient records are compromised, patient safety becomes an issue. Hackers can modify a patient's medical record, which may lead to a delayed or wrong diagnoses that could ultimately be fatal.
In today’s healthcare landscape, most organizations cannot afford a costly data breach which is why prevention is often the best defense. Healthcare organizations should conduct a risk analysis and implement the necessary safeguards and controls. It is also important to prepare a data breach response plan to ensure readiness to meet notification requirements and industry regulations should a data breach occurs. Taking these important steps can help reduce the potential of a data breach occurring and help avoid costly fines, lawsuits, reputational damage, and loss of patients.