Understanding the True Cost of a Data Breach

Clearwater recently conducted a webinar on the true cost of a data breach for a healthcare organization. Our CFO Baxter Lee enumerated the breach statistics and presented examples on notification costs, legal costs, OCR fines, state settlements, lawsuits, customer attrition, operational distraction, and more. The point is to understand the impact in order to secure the funds to mitigate the risks of a breach.

In the case of American Medical Collection Agency’s (AMCA) highly publicized data breach, the cost proved unrecoverable as its 42-year-old parent company Retrieval-Masters Credit Bureau filed for bankruptcy just weeks after disclosing the breach.

We at Clearwater advise organizations to calculate the risk of a data breach, not only for covered entities but also for their business associates.  A breach of your patient data will affect your organization, even if it’s by a business associate. 

Consider these headlines and timeline:

The data breach resulted from cyber attacks seeking financial information off of the AMCA website, and the hacking continued for eight months before being detected. Retrieval-Masters learned of the breach “after a significant number of credit cards people used to pay their outstanding medical bills via the company site ended up with fraud charges on them later.”[i]  There was apparently a delay in notification.

In the end, the breach involved protected data from Quest Diagnostics (12 million records), LabCorp (8 million), BioReference Laboratories (423,000), Carecentrix (500,000), and Sunrise Laboratories, adding up to more than 20 million records. [ii]

Pending lawsuits, state actions, and OCR fines, AMAC incurred the following costs associated with this breach:

  • $10 million for 20 million recipients at $0.50/stamp
  • $400,000 for IT professionals and consultants [iii]
  • The loss of business from its two largest customers, LabCorp and Quest Diagnostics, in addition to two others – Conduent and CareCentrix. [iv]

These costs are only the beginning. Further costs are likely to occur from defending and settling lawsuits in addition to regulatory and state attorney general actions.

No organization wants to face such a devastating scenario. Performing an OCR-Quality Risk Analysis® will enable your organization to identify gaps and close them before it’s too late. But it’s not enough that your organization does the analysis. You must require your vendors to do the same.

Addressing identified high risks will help your organization to avoid preventable breaches and not be the subject of the latest headline highlighting yet another healthcare organization failing to fulfill its obligations to protect its patients and their data.

OCR-Quality Risk Analysis®

OCR-Quality Risk Analysis®

Clearwater delivers solutions to hundreds of health systems, health partner organizations, medical device manufacturers, and federal institutions nation-wide. Our complete enterprise cyber risk management solution begins with the most comprehensive, industry-proven risk analysis available, as demonstrated by a 100% OCR acceptance rate. Learn more


Sign up to receive our monthly newsletter featuring resources curated specifically to your concerns.

Related Blogs

With Us