A healthcare cybersecurity breach can have devastating consequences, potentially jeopardizing patient safety and confidentiality. Such breaches can result in unauthorized access to sensitive patient data, disrupt healthcare services, and lead to significant financial losses due to potential lawsuits and loss of trust among patients.
The healthcare industry has been rocked by massive data breaches over the past five years, with 42 million patients affected by compromised data between 2016 and 2021.
The larger the organization? The more facilities? All the more information for attackers to go after since they hold the information for ransom.
In this blog post, we dive into some of the impacts after a security breach. If you work in healthcare and security, take note of the actions you’ll need to complete.
What Happens After Patient Data Is Involved in a Breach?
One of the most important things to know and remember is that patient data is bound and protected by the Health Insurance Portability and Accountability Act, also known as HIPAA.
Consequently, any healthcare provider that suffers from a security breach must comply with the HIPAA Breach Notification Rule. This rule requires providers to inform patients of any unauthorized access to their data within 60 days of the incident. For those thinking that these rules can be skirted, there are also criminal penalties for anyone who does not disclose this information in a timely manner.
It is also important for the organization involved in a breach to report the incident to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR). The HHS OCR is responsible for reviewing and monitoring any security breaches that involve patient data.
Consider the extra steps to take after discovering and reporting a breach:
- The evaluation that goes into the probability of Protected Health Information (PHI) being compromised.
- Informing the proper media outlets if more than 500 people are affected.
- Sending a notice to the Secretary of Health and Human Services Breach of Unsecured Protected Health Information.
And other finite rules such as:
- If more than ten patients have out-of-date contact information, you need a message on your website for 90 days about the breach.
The Risks of Financial and Reputational Harm After a Breach
HIPAA compliance has produced financial consequences for healthcare organizations in the past, especially if they were found to have violated security requirements and best practices.
In recent history, several healthcare organizations have faced hefty fines for HIPAA security breaches. For instance, the health insurance giant, Anthem Inc., faced a staggering $16 million fine in 2018 due to a cyberattack that exposed the ePHI of nearly 79 million individuals. This stands as the largest HIPAA fine to date. In another high-profile incident, Premera Blue Cross was fined $6.85 million in 2020 after a cyber-attack exposed the health information of 10.4 million individuals. Notably, the University of Texas MD Anderson Cancer Center was penalized with a $4.3 million fine in 2018 for loss of health information related to unencrypted devices. These instances underscore the financial risk healthcare organizations face when HIPAA security procedures are not rigorously followed.
Security breaches can have a huge impact on healthcare organizations, not just financially but also on their reputation. Trust is crucial in healthcare, and when patient information gets compromised, it really shakes that trust. It can make patients lose confidence and switch to other providers, which means less business. And it’s not just the patients, even the media can jump on it and give the organization a bad image, making it harder to attract new patients. Plus, among peers in the industry, a breach can damage professional reputation and affect partnerships. So yeah, the damage caused by a security breach is serious and long-lasting, which is why it’s so important to follow HIPAA rules to the letter.
Your main takeaway: this is a lot of money, and while implementing robust security can be expensive as well, it is far better to invest in cybersecurity than to deal with the financial consequences.
In our next blog post, we’ll look at ways security teams can prevent a cybersecurity attack. Stay tuned for more!