Still, there are lessons to be learned even for small organizations

Doubts QuestionsCommunity Health Systems’ (CHS) recent data breach of 4.5 million patient records brings up several questions. All of these still need to be answered but there are already lessons everyone can learn.

Did the breach really only affect identifying information, and no medical records, as claimed by CHS? I have doubts because we heard the same thing from Advocate Health System in 2013 when they breached 4 million records, and it took weeks after the burglary before they admitted that medical information also was taken. Also, a breach does not mean that the data was actually stolen, but may have been accessed by an unauthorized individual. If the hackers gained access to the entire patient record, but only chose to extract the identifying information, then the medical information was breached, even though it was not taken.

Still to be answered: In a hospital, what system could you hack that contained just patient identifiers like names, birthdates, and Social Security Numbers, but no medical info? 

If only identifying data was stolen, how is this a HIPAA violation? Good question. HIPAA’s definition of Protected Health Information requires that identifiers be combined with information about a patient’s diagnosis, treatment, or payment for health care.

Still to be answered: Were full medical records accessed, but only identifying data extracted? If so, isn’t that a breach of medical information too, ie, a HIPAA violation?

What costs and penalties is CHS facing? First, notification, advertising, and credit monitoring costs for 4.5 million patients. While it may be determined that CHS has not violated HIPAA, according to the CHS website, “the organization’s affiliates own, operate or lease 206 hospitals in 29 states with approximately 31,100 licensed beds.” Forty-seven states and Puerto Rico now have data breach laws that protect exactly the type of information CHS said was taken. Imagine CHS’s legal fees reporting to 29 separate state attorneys general and regulatory agencies. Plus legal fees to fight class actions suits, and PR crisis management costs to protect the organization’s reputation. Plus consulting fees to evaluate the breach and protect the organization’s technology. Plus lost business. Not to mention fines and other penalties still to come.

In Puerto Rico, when a health plan breached 70,000 records, it was fined $ 6.8 million. In Minnesota, when Accretive Health Plan breached 23,000 records (doesn’t sound like a lot compared with CHS) the state attorney general fined them $ 2.5 million and banned them from doing business in the state for six years. Then, the Federal Trade Commission put Accretive on a 20-year monitored compliance program.

According to the Ponemon Institute Cost of a Data Breach study sponsored by IBM, the average cost per record breached in 2013 was $ 201. However, for breaches caused by malicious attacks the cost was $ 246 per record. Using the lower figure, CHS could pay over $ 900 million. At the higher rate the impact could exceed $ 1 billion. There is probably some economy of scale when you breach 4.5 million records, so at just $ 50 per record the impact on CHS will only be $ 225 million. CHS said in its federal 8-K filing for investors that it carries cyber-liability insurance and that it “does not believe this incident will have a material adverse effect on its business or financial results.”

Still to be answered: What will be the real cost to the organization? What portion will be covered by their cyber-liability policy? Did CHS really anticipate over $ 100 million in losses when they bought their insurance? Answers may take years of following penalty announcements and reading CHS’s investor filings.

What can you learn from the CHS breach?

1. Focus on Security not just Compliance. When people talk about HIPAA they usually discuss Compliance. HIPAA is all about protecting and securing health information. Security should be your organization's first focus.

2. Get your IT team focused on Security, not just network reliability and performance. Just like when healthcare changed with Universal Precautions requiring gloves, goggles, and masks, IT has changed and now requires a strong focus on Security. Make sure your IT staff or outsourced provider has Security expertise.

3. Invest in Security. Update your computers, mobile devices, servers, software, firewalls, endpoint protection software, event logging, remote access tools and encryption to protect you against today’s sophisticated threats. Train your users and monitor their compliance with your policies and procedures.

4. Buy enough cyber-liability insurance. You may be shocked when you multiply the number of medical records you have by $ 201, the average cost per record breached in the most recent study. If you have 20,000 records, that is a risk of over $ 4 million. 100,000 records is over $ 20 million. Make sure the policy covers retroactive breaches (previous breaches discovered after the policy was purchased) and also litigation costs. This article provides some excellent tips.

5. There is more to regulatory compliance than HIPAA. GLBA is like HIPAA but for financial information. Almost all states have data breach laws that protect the information you store about your employees (name plus Social Security numbers, driver’s license info, state license info, and in some states bank account numbers and medical information.) State attorneys general and other regulatory agencies can enforce breaches. California, Massachusetts, and Texas have unique requirements. PCI-DSS protects credit card information. The Federal Trade Commission can enforce data breach penalties.

6. Security and Compliance can best be achieved with assistance from Specialists. Primary care doctors refer patients to specialists every day. Even specialists refer patients to other specialists. If you aren’t confident about your security and compliance, or just want to validate that your efforts are really working, think about calling in a specialist.