The Real Cost of Data Breaches

Industry Spends Over $6B Annually on Data Breaches

In the wake of the Anthem breach, which put 800,000 subscribers at risk, hospitals nationwide have their ears perked up to establish a first-line defense against data breaches. These types of breaches cost the industry over $6 billion each year.

Individual Firms Spend At Least $1M Annually

On the larger scale of things, the overall economic impact is around $30.9 billion annually, and individual firms can expect to send at least $1 million annually in response to data breaches involving critical patient information.

Medical Records = Thief’s Dream

The type of information that lives in a patient’s medical record is precisely what identify thieves are looking for: names, social security numbers, dates of birth, payment and insurance information and other health information specifics that can differentiate patients (called PHI). Even one or two of these pieces of vital information can be used to steal a patient’s identity — and purchase prescriptions or services.

Delayed Response

What further complicates the matter is that the pervasive and sneaky nature of these breaches means it can take months or even years for a patient to recognize that their information has been stolen and is being used to acquire services falsely. That means that medical identity theft can, and often does, go undetected for years, systematically ruining a patient’s credit score. For this reason among many, breach prevention is of utmost importance to healthcare systems and consumers alike.

$20,000 Out of Pocket Expenses for Victims

For the average incidence of medical identity theft, a patient could pay up to $20,000 in out of pocket expenses for services that they didn’t request. If these bills go unpaid, because the victim is unaware of them, it can go to collections and be extremely damaging for the patient’s credit history.

Federal Crackdowns on Reporting Requirements

In the last couple of years there have been plenty of federal crackdowns on reporting requirement for breaches. Since EMRs have become commonplace, the need for such crackdowns has increased in proportion to the ease of accessing patient information via electronic means. Billions of money has gone into the implementation of EMRs in hospitals, and finding a balance between upholding the “one patient, one record” ideal while protecting a patient’s private information is a major focus.

Healthcare Related Breaches — 43% of All Data Breaches

When it comes to identity theft in the U.S. almost half of the cases reported are healthcare related. From the perspective of those who are attempting to wrongfully obtain this information, it makes sense that healthcare would be the prime target: as previously mentioned, the wealth of information within a patient record that can be used and the organization of the record is a thief’s’ dream.

Questions You Need To Be Asking

In 2014, medical identity theft rose by 22% — and many of those cases remain unresolved because of the tangled web created for patients when their information is compromised. The task of hospitals is to understand definitively how information enters and exits their healthcare facility. Important questions to ask:

1. How does information get input into the patient’s record?
2. How does someone within the organization go about accessing the information?
3. How are access audits run — only when there is reason or prophylactically?
4. What will trigger an audit? Can new triggers be added by IT?
5. How is your organization encouraging minimal access to records? How are you enforcing protocols set in place to ensure no one accesses a record unnecessarily? Does your organization have a zero-tolerance policy for breaches within your organization?
6. How are records protected? Are they encrypted? Are emails or other computer based communications encrypted? Have these encryptions been tested?
7. How are breaches reported? What is the timeline for investigation? How are breaches communicated to the media, to the patients or the public?

These aren’t the only questions you need to ask, but they are a great place to start. The stakes are higher than ever before with data breaches, and prevention and preparation are your best defense.