10 HIPAA Breach Costs Healthcare Organizations Should Be Aware Of

10 HIPAA Breach Costs Healthcare Organizations Should Be Aware Of

Published: November 14th, 2019

HIPAA Breaches can cost healthcare organizations millions. Healthcare data breaches typically cost more than data breaches in any other industry. In fact, the average cost of a healthcare data breach in the United States is $15 million. The 2018 Cost of a Data Breach Report from IBM and Ponemon Institute found that the average healthcare data breach costs $408 per record, which is the highest of any industry by nearly three times.

Most often, it is the hidden costs from healthcare data breaches can be expensive and difficult to manage. There are many expenses such as reputational damage, operational costs, civil claims, and financial penalties that healthcare organizations need to take into account.

The following are 10 HIPAA Breach Costs that healthcare organizations should factor into breach cost estimates;

  1. Breach Investigations- Following a data breach, an external organization must investigate the breach to identify the cause and ensure that unauthorized access to PHI has been stopped.
  2. Remediation- The safeguards which should have been installed to prevent the breach must be implemented under the scrutiny of the Office of Civil Rights and the general public.
  3. Temporary Operational Changes- A data breach places a considerable administrative burden on healthcare providers. Staff must issue notifications, update websites, field customer queries, and implement new safeguards. Therefore, healthcare services can sometimes be affected, and operational changes may be necessary.
  4. Breach Notification Letters- Breach notification letters must be issued to all affected individuals by first class mail. Subsequent notifications may be sent with updated information.
  5. Identity Theft Protection- HIPAA requires covered entities to provide free credit monitoring and identity theft protection to all breach victims. The current cost is $10 per month per person, and services must be provided for 1-2 years.
  6. Regulatory Fines/Office of Civil Rights- The Office of Civil Rights issues financial penalties for HIPAA violations up to a maximum of 1.5 million per year, per violation category.
  7. Regulatory Fines/Attorney General’s Offices- The Attorney General’s Offices assist OCR in policing HIPAA Privacy and Security Rules. The State AG Offices issue fines up to $25,000 per violation category.
  8. Loss of Business and Reputation- Providers can expect a loss rate of 5-6%, following a data breach, however, 65% of patients would consider switching providers after a major HIPAA data breach.
  9. Class Action Lawsuits- Class Action Lawsuits usually claim damages of $1,000 per victim. Negligence claims may also be filed against healthcare providers for exposing PHI.
  10. Website/Helpline for Breach Victims- HIPAA requires covered entities to publish information on the company or designated website as well as provide victims with a free phone number to allow them to obtain further information.



  1. https://healthitsecurity.com/news/healthcare-data-breach-costs-remain-highest-among-industries
  2. https://www.hipaajournal.com/10-hipaa-breach-costs-you-may-not-be-aware-of-322/