Select Page

Understanding the True Cost of a Data Breach

Clearwater recently conducted a webinar on the true cost of a data breach for a healthcare organization. Our CFO Baxter Lee enumerated the breach statistics and presented examples on notification costs, legal costs, OCR fines, state settlements, lawsuits, customer attrition, operational distraction, and more. The point is to understand the impact in order to secure the funds to mitigate the risks of a breach.

In the case of American Medical Collection Agency’s (AMCA) highly publicized data breach, the cost proved unrecoverable as its 42-year-old parent company Retrieval-Masters Credit Bureau filed for bankruptcy just weeks after disclosing the breach.

We at Clearwater advise organizations to calculate the risk of a data breach, not only for covered entities but also for their business associates.  A breach of your patient data will affect your organization, even if it’s by a business associate. 

Consider these headlines and timeline:

The data breach resulted from cyber attacks seeking financial information off of the AMCA website, and the hacking continued for eight months before being detected. Retrieval-Masters learned of the breach “after a significant number of credit cards people used to pay their outstanding medical bills via the company site ended up with fraud charges on them later.”[i]  There was apparently a delay in notification.

In the end, the breach involved protected data from Quest Diagnostics (12 million records), LabCorp (8 million), BioReference Laboratories (423,000), Carecentrix (500,000), and Sunrise Laboratories, adding up to more than 20 million records. [ii]

Pending lawsuits, state actions, and OCR fines, AMAC incurred the following costs associated with this breach:

  • $10 million for 20 million recipients at $0.50/stamp
  • $400,000 for IT professionals and consultants [iii]
  • The loss of business from its two largest customers, LabCorp and Quest Diagnostics, in addition to two others – Conduent and CareCentrix. [iv]

These costs are only the beginning. Further costs are likely to occur from defending and settling lawsuits in addition to regulatory and state attorney general actions.

No organization wants to face such a devastating scenario. Performing an OCR-Quality Risk Analysis® will enable your organization to identify gaps and close them before it’s too late. But it’s not enough that your organization does the analysis. You must require your vendors to do the same.

Addressing identified high risks will help your organization to avoid preventable breaches and not be the subject of the latest headline highlighting yet another healthcare organization failing to fulfill its obligations to protect its patients and their data.

OCR-Quality Risk Analysis®

OCR-Quality Risk Analysis®

Clearwater delivers solutions to hundreds of health systems, health partner organizations, medical device manufacturers, and federal institutions nation-wide. Our complete enterprise cyber risk management solution begins with the most comprehensive, industry-proven risk analysis available, as demonstrated by a 100% OCR acceptance rate. Learn more

Newsletter

Sign up for our monthly newsletter discussing hot topics and access to invaluable resources.


Related Blogs

Rethinking the HIPAA Security Rule: Why Forward Path 2025 Might Be the Better Way Forward

Rethinking the HIPAA Security Rule: Why Forward Path 2025 Might Be the Better Way Forward

Late last year, the US Department of Health and Human Services (HHS) introduced a more prescriptive regulatory framework for the HIPAA Security Rule, which comes at a critical time. As the industry faces unprecedented numbers of breach-related sensitive record exposures, it’s clear healthcare organizations and their supporting partners need to do more to protect patient data, but is the Notice of Proposed Rulemaking (NPRM) to update the HIPAA Security Rule the answer?
Assumed Breach Simulation: Lateral Movement

Assumed Breach Simulation: Lateral Movement

A cyberattack doesn’t always start with an exposed perimeter. Sometimes, all it takes is a single compromised workstation — compromised through social engineering attacks, use of weak access management. To help clients gauge the potential for a breach to occur through these attack vectors, I and my colleagues on Clearwater’s Technical Testing team perform what is called assumed breach testing – a cybersecurity assessment that evaluates an organization’s ability detect, respond to, and recover from a breach.
RSA 2025 Recap: AI, Innovation, and Identity Take Center Stage

RSA 2025 Recap: AI, Innovation, and Identity Take Center Stage

The cybersecurity world descended on San Francisco last week for RSA Conference 2025, and Clearwater was proud to be there alongside our Redspin colleagues. From AI to identity, from innovation to infrastructure, this year’s RSA reflected both the rapid evolution of cybersecurity technology, and the mounting pressure on organizations to stay ahead of new threats. Here’s what stood out to our team on the ground.
No results found.