HIPAA Breaches can cost healthcare
organizations millions. Healthcare data breaches typically cost more than data
breaches in any other industry. In fact, the average cost of a healthcare data
breach in the United States is $15 million. The 2018 Cost of a Data Breach
Report from IBM and Ponemon Institute found that the average healthcare data
breach costs $408 per record, which is the highest of any industry by nearly
Most often, it is the hidden costs from
healthcare data breaches can be expensive and difficult to manage. There are many
expenses such as reputational damage, operational costs, civil claims, and
financial penalties that healthcare organizations need to take into account.
The following are 10 HIPAA Breach Costs that
healthcare organizations should factor into breach cost estimates;
- Breach Investigations- Following a data breach, an external
organization must investigate the breach to identify the cause and ensure that
unauthorized access to PHI has been stopped.
- Remediation- The safeguards which should have been installed to prevent the
breach must be implemented under the scrutiny of the Office of Civil Rights and
the general public.
- Temporary Operational
Changes- A data breach places a considerable
administrative burden on healthcare providers. Staff must issue notifications,
update websites, field customer queries, and implement new safeguards. Therefore,
healthcare services can sometimes be affected, and operational changes may be
- Breach Notification
Letters- Breach notification letters must be
issued to all affected individuals by first class mail. Subsequent notifications
may be sent with updated information.
- Identity Theft
Protection- HIPAA requires covered entities to
provide free credit monitoring and identity theft protection to all breach
victims. The current cost is $10 per month per person, and services must be
provided for 1-2 years.
Fines/Office of Civil Rights- The Office of
Civil Rights issues financial penalties for HIPAA violations up to a maximum of
1.5 million per year, per violation category.
Fines/Attorney General’s Offices- The Attorney
General’s Offices assist OCR in policing HIPAA Privacy and Security Rules. The
State AG Offices issue fines up to $25,000 per violation category.
- Loss of Business and
Reputation- Providers can expect a loss rate of
5-6%, following a data breach, however, 65% of patients would consider
switching providers after a major HIPAA data breach.
- Class Action
Lawsuits- Class Action Lawsuits usually claim
damages of $1,000 per victim. Negligence claims may also be filed against
healthcare providers for exposing PHI.
- Website/Helpline for Breach Victims-
HIPAA requires covered entities to publish information on the company or
designated website as well as provide victims with a free phone number to allow
them to obtain further information.