How much will the CHS breach cost?

 Last week, Franklin, Tenn.-based Community Health Systems reported a cyberattack affecting nearly 4.5 million people. A data breach of this size is likely to be extremely costly for the 206-hospital system.

According to a CHS notification, no medical information was compromised in the breach. However, the information that was compromised — including patient names, addresses and Social Security numbers — is still protected under HIPAA, meaning CHS could face fines if the current federal investigation into the breach finds fault with CHS' security practices.

Past HIPAA settlements give an indication of the size of the fine CHS could face. Last year, WellPoint settled with HHS for $1.7 million over allegations a security weakness in the health insurer's database left the protected health information of more than 600,000 people vulnerable to "unauthorized individuals" over the Internet. The CHS data breach, affecting about 7.5 times the number of people, has the potential to be much more expensive. Additionally, in June an HHS official said the department plans to step up enforcement and fines related to data breaches, meaning CHS fines could be higher than past settlements would suggest.

Much of the cost of HHS sanctions could come from "corrective actions" necessitated from a settlement. In 2009, a burglary exposed the information of 1 million BlueCross Blue Shield of Tennessee beneficiaries. The organization was slapped with a $1.5 million fine, but spent more than four times that amount, $7 million, on IT security remediation, according to an analysis in Forbes.

CHS could also face legal settlements. A class-action suit has already been filed in Alabama, accusing the health system of breaching its contracts with patients by failing to secure their personal information. More suits could be filed, as CHS operates facilities in 29 states. Two class-action settlements announced in July give an idea of how large a CHS settlement could be — grocer Schnuck Markets agreed to a $2.1 million settlement following a breach that exposed 2.4 million credit and debit cards, and Sony agreed to pay $15 million to settle a suit after 77 million user accounts, possibly including credit card information, were compromised.

The identity security services CHS has offered to affected patients will also add to the total cost of the breach. Forbes estimates the total will come to $20 million, assuming about 30 percent of those affected opt-in to the service at an annual cost of about $12 to $20 per person per year.

[tweet this] However, a recent study from the Ponemon Institute suggests CHS will face even steeper costs. The study found breaches caused by malicious attacks ended up costing organizations a total $277 per compromised record. The study focused on smaller breaches, between 100 to 100,000 compromised records, so CHS may benefit from economies of scale and not be stuck with the $1.25 billion bill this report would suggest. However, the $277 figure is an average from several different industries, and the report stated healthcare data breaches have historically been more expensive than breaches in other industries.

More articles on data breaches:

Physician's home burglary compromises St. Elizabeth patient information
Cedars-Sinai reports potential data breach due to stolen laptop
FBI: Hackers are targeting healthcare organizations

 

Copyright © 2024 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.

 

Featured Whitepapers

Featured Webinars