Healthcare Data Breaches: Handle with Care

Data breaches are notorious for the financial, legal, and reputational damage they can inflict on an organization and its customers. The unintentional exposure of a social security number or financial information raises the risk for identity theft and increases organization vulnerability for lawsuits, fines and lost business.

These risks are especially troubling for healthcare providers, since data breaches in this sector are up 32 percent since 2010, according to a new benchmark study by the Ponemon Institute. And healthcare data breaches are expensive, costing the industry an estimated $6.5 billion.

At the same time, Moody’s reports that the median revenue growth rate for hospitals is only 4 percent, its lowest in 20 years, and long-term revenue growth is expected to decline.

With this dismal financial outlook, it is safe to predict that data breaches are likely to increase: 73 percent of respondents in the Ponemon study reported lacking sufficient resources to prevent or detect unauthorized patient data access, loss, or theft. In fact, 53 percent of organizations cite lack of budget as their biggest weakness in preventing data breaches.

Read  After ‘Year of the Data Breach,’ Carriers Increase Capacity, Competition for Cyber Risks

What’s more, the unique nature of information compromised—medical records and other health information—pose distinct threats to both providers and patients, and therefore require special care. These risks include:

  1. The physical dangers to patients. Medical identity theft occurs when a patient’s credentials are used to obtain medical goods and services or to bill for medical goods and services that the owner of these credentials did not receive. Victims of medical identity theft are susceptible not only to financial damages, but also face threats to their health. Patients can be denied treatment because of maxed-out benefits, be misdiagnosed because of record polluting (when a victim’s records are merged with a thief using the same identity), can be denied insurance, or face embarrassment because of the exposure of sensitive information, such as mental health records.
  2. The unique requirements of the patient population. According to the Ponemon study, a patient has an average lifetime value of more than $113,000—high stakes for healthcare providers. But meeting the varying needs of patients affected by a data breach is not easy. Many are minors, elderly or disabled, or face mental health challenges. Because of this, custom services, such as specialized call center agents, may be required.
  3. The need for specialized identity monitoring. Many data breach response vendors, credit bureaus and providers of cyber insurance typically offer credit monitoring to those affected by a data breach. Victims of a healthcare data breach, however, require medical identity monitoring, a service which track a patient’s insurance numbers and other medical information. Credit monitoring does not provide notification of medical identity theft.
  • The move to electronic health records (EHR). In February 2009, the U.S. Senate passed an $838 billion stimulus bill, in part to enable the digitization of every American’s medical record. Healthcare organizations are rushing to computerize their medical records, to take advantage of financial “meaningful use” incentives. But lagging security investments have left medical records more susceptible than ever to accidental or intentional disclosure, loss, or theft. What were once isolated paper records are becoming electronic health data on millions of individuals that can be transmitted in seconds. Once this information is breached, it can never be recovered. 
  • The rise of strict laws and stiff fines. The healthcare industry has, by far, the most stringent laws regarding the safety of its privacy data, called protected health information (PHI).  HIPAA Privacy and Security Rules set standards for medical information privacy. The HITECH Act extends HIPAA privacy and security requirements beyond healthcare providers to business associates, creates stricter breach notification guidelines, and gives state authorities power to enforce HIPAA rules. It also increased penalties for noncompliance—up to $1.5 million.
  • Read related: "Private I."

    The combination of increased danger to patients, the move to electronic health records, and the strict laws associated with protected health information all increase the risks associated with healthcare data breaches. More than ever, healthcare organizations need to strengthen their preventive measures to minimize those risks and ensure positive outcomes for their organization and the patients they serve.



    Page 1 of 2

    Resource Center

    View All »

    Increase Sales Conversion with this Complimentary White Paper

    This whitepaper will share proven techniques - used by many of the industry's top producers...

    D&O Policy Definitions: Don't Overlook These Critical Terms

    Unlike other forms of insurance where standard policy language prevails, with D&O policies, even seemingly...

    Environmental Risk: Lessons Learned from Willy Wonka and the Chocolate...

    Whether it’s a chocolate factory or an industrial wastewater treatment facility, cleanup and impacts to...

    More Data, Earlier: The Value of Incorporating Data and Analytics...

    Incorporating more data earlier in claims lifecycles can help you reduce severity payments by 25%*...

    How Many Of Your Clients Are At Risk Of Flood?

    Every home is vulnerable to flooding. Learn four compelling reasons why discussing flood insurance with...

    Gauging your Business Intelligence Analytics Capabilities and the Impact of...

    Big Data, Data Lakes and Data Swamps, How to gauge your company's Big Data readiness....

    Extending Contact Center Capabilities Across the Insurance Enterprise

    Today advancements in technology are making a big impact on business and society. To yield...

    Drug and Alcohol Testing Requirements

    In this two-part series, NBIS Risk Management team will break down the requirements to assist...

    Why Cyber Liability is Essential for Human Service Organizations

    For traditional low-tech operations, information is often compromised in ways that don't involve technology. Access...

    A Solution for Large Commercial Habitational Accounts

    6 Reasons to place your LARGE Habitational Accounts with Dauntless.

    Risk Management Report eNewsletter

    Identify problems involving emerging risks, reinsurance, and business interruption with help from Risk Management Report - FREE. Sign Up Now!

    Advertisement. Closing in 15 seconds.