Federal regulators recently signed one of the largest HIPAA settlements to date — $3.5 million — with Massachusetts healthcare company Fresenius Medical Care North America. The organization reported five small health data breaches in 2012 involving lost or stolen encrypted computing devices.
So why is the settlement notable?
“Because it shows that it does not take a breach that affects millions to get OCR’s attention,” says privacy attorney David Holtzman, vice president of compliance at security consultancy CynergisTek as reported in this blog post.
Under HIPAA, organizations are required to report breaches that impact 500 or more individuals to federal regulators and affected individuals within 60 days.
In 2018 alone, 18 health data breaches have been reported to federal regulators affecting a combined total of more than 396,000 individuals (as of Feb. 5, 2018).
The Department of Health and Human Services’ Office for Civil Rights’ Breach Reporting Tool website of major health data breaches, commonly dubbed the “Wall of Shame,” tracks the breaches.
The 5 Largest HIPAA Penalties to Date include:
- Advocate Health Care Network, $5.55 million
- Memorial Healthcare System, $5.5 million
- New York-Presbyterian Hospital and Columbia University, $4.8 million
- Cignet Health of Prince George County, $4.3 million (civil monetary penalty)
- Fresenius Medical Care North America, $3.5 million
What’s the takeaway? If you refuse to comply with HIPAA rules, you risk being fined. And that fine could be pretty hefty, as you can see.
And if the fines aren’t enough to make a company want to comply, the risk of losing customers ought to be. Studies have found that when it comes to data breaches, consumers hold companies responsible more than themselves. That was one of the key takeaways from Gemalto’s 2016 Data Breaches and Customer Loyalty report. The study, which interviewed more than 9,000 consumers from 10 countries and which we covered here, found that 66 percent of respondents say they’d be unlikely to do business with organizations that expose their financial and sensitive information.
It’s fines such as those HIPAA fines, coupled with other expenses that result from a data breach, that can sink a business in no time. According to some studies, 60 percent of small businesses go under following a data breach. A study by IBM found small and mid-sized businesses are the target of 62 percent of cyber attacks. That’s because they’re an easy target, and they often overestimate their cyber preparedness, according to “The 2017 Cyberrisk Preparedness and Response Survey” from Advisen, which surveyed more than 300 risk managers, insurance brokers and legal experts.
“Time and again companies mishandle their response to high-profile cyber incidents resulting in customer churn and a diminished ability to meet anticipated revenues. The financial harm from a damaged reputation and loss of consumer confidence has the potential to exceed other cyber-related first- or third-party financial losses,” according to this story from Credit Union Times.
Preparedness is key. Companies who have a data breach plan in place are better able to respond quickly and contain threats, which often times saves them money in the long run.
“Being ‘compromise ready’ better positions companies to respond to data security incidents faster, contain the threat and potentially lessen the severity of these events,” said Theodore Kobus, the chair of BakerHostetler’s privacy and data protection team, in a law360.com article. “What we found is that companies which have a program in place, and who are conducting tabletop exercises and incident response workshops, are better prepared to detect incidents, which help them more timely respond to incidents,” Kobus said.
This is where LibertyID for Small Business can help. When a small company has a data breach, it causes severe damage to the organization, its employees (no matter how their identity is compromised), customers and reputation. LibertyID for Small Business prepares you with prevention planning, a crisis response plan and fully managed identity theft restoration for your employees and for your customers should you experience a data breach.
Our service includes an hour of consultation with a well-qualified attorney who has extensive data breach response experience. The attorney will review the circumstances of the event, answer general questions, identify critical issues and develop next steps, including a custom data breach notification plan with consumer and regulatory notice templates, recommended content and a required timeline. When a data breach happens, our team of specialists goes to work.