Understanding the True Cost of a Data Breach

Clearwater recently conducted a webinar on the true cost of a data breach for a healthcare organization. Our CFO Baxter Lee enumerated the breach statistics and presented examples on notification costs, legal costs, OCR fines, state settlements, lawsuits, customer attrition, operational distraction, and more. The point is to understand the impact in order to secure the funds to mitigate the risks of a breach.

In the case of American Medical Collection Agency’s (AMCA) highly publicized data breach, the cost proved unrecoverable as its 42-year-old parent company Retrieval-Masters Credit Bureau filed for bankruptcy just weeks after disclosing the breach.

We at Clearwater advise organizations to calculate the risk of a data breach, not only for covered entities but also for their business associates.  A breach of your patient data will affect your organization, even if it’s by a business associate. 

Consider these headlines and timeline:

The data breach resulted from cyber attacks seeking financial information off of the AMCA website, and the hacking continued for eight months before being detected. Retrieval-Masters learned of the breach “after a significant number of credit cards people used to pay their outstanding medical bills via the company site ended up with fraud charges on them later.”[i]  There was apparently a delay in notification.

In the end, the breach involved protected data from Quest Diagnostics (12 million records), LabCorp (8 million), BioReference Laboratories (423,000), Carecentrix (500,000), and Sunrise Laboratories, adding up to more than 20 million records. [ii]

Pending lawsuits, state actions, and OCR fines, AMAC incurred the following costs associated with this breach:

  • $10 million for 20 million recipients at $0.50/stamp
  • $400,000 for IT professionals and consultants [iii]
  • The loss of business from its two largest customers, LabCorp and Quest Diagnostics, in addition to two others – Conduent and CareCentrix. [iv]

These costs are only the beginning. Further costs are likely to occur from defending and settling lawsuits in addition to regulatory and state attorney general actions.

No organization wants to face such a devastating scenario. Performing an OCR-Quality Risk Analysis® will enable your organization to identify gaps and close them before it’s too late. But it’s not enough that your organization does the analysis. You must require your vendors to do the same.

Addressing identified high risks will help your organization to avoid preventable breaches and not be the subject of the latest headline highlighting yet another healthcare organization failing to fulfill its obligations to protect its patients and their data.

OCR-Quality Risk Analysis®

OCR-Quality Risk Analysis®

Clearwater delivers solutions to hundreds of health systems, health partner organizations, medical device manufacturers, and federal institutions nation-wide. Our complete enterprise cyber risk management solution begins with the most comprehensive, industry-proven risk analysis available, as demonstrated by a 100% OCR acceptance rate. Learn more

Newsletter

Sign up for our monthly newsletter discussing hot topics and access to invaluable resources.


Related Blogs

Clearwater Cyber Briefing: Key Trends and Takeaways for December 2024

Clearwater Cyber Briefing: Key Trends and Takeaways for December 2024

In today’s ever-evolving threat landscape, staying ahead of cybersecurity risks is more critical than ever for healthcare organizations. That’s why, each month, Clearwater Security delivers a Cyber Briefing, providing a comprehensive digest of the latest news, emerging threats, and key updates from across the healthcare cybersecurity ecosystem. These briefings are designed to equip healthcare leaders with the knowledge and insights they need to safeguard their organizations and stay informed on the most pressing issues.
Navigating the HIPAA Privacy Rule for Reproductive Healthcare: Compliance Essentials Before the December 2024 Deadline

Navigating the HIPAA Privacy Rule for Reproductive Healthcare: Compliance Essentials Before the December 2024 Deadline

In an era where the privacy of reproductive healthcare has become a topic for debate, healthcare organizations face growing fears and challenges over the potential misuse of sensitive patient data. Recent legal developments, coupled with the shifts following the Dobbs v. Jackson decision, have shown the urgent need for robust safeguards. Notably, the December 23, 2024 compliance deadline for the HIPAA Privacy Rule Final Rule to Support Reproductive Health Care Privacy offers a pivotal moment to address these concerns.

Connect
With Us