An AZ anesthesiology practice with 200 providers across the state has reported a hack to their computer system that may have — or may not have — exposed the PHI of more than 880,000 patients and employees. The situation was made public when the practice announced that it was notifying all patients and staff whose records may have been hacked.
As you may know, the insurance agency I work for is applying my time more and more to privacy liability issues because of the explosive growth of data breaches. I live in fear of cases like this.
According to news reports, the group’s forensic experts did not find evidence that the hacker had accessed or stolen PHI or financial information, but the experts could not guarantee that the hackers had not obtained any confidential information. Under Office of Civil Rights (OCR) regulations, the burden rests on the covered entity to rebut the presumption that the the security breach compromised the privacy of the PHI. State privacy laws would apply to the employee PII.
In an earlier article, we had warned about the OCR position that Ransomware attacks that seize data from your computer create just such a potential situation. OCR has indicated in its published advisories that their presumption will be that an intruder who can lock your files had access to those files unless YOU can present a convincing case that there was no access to the records. Making that case typically takes time and a lot of lawyers and expensive forensic specialists. That means money.
The Arizona practice ultimately made the decision to notify patients and set up credit monitoring and an information hotline. Again, that takes money — potentially millions of dollars just for the notifications and credit services. The national Ponemon Institute annual report and other industry surveys show “average” total costs of $142 per file up to $365 per file potentially compromised.
The reports on this incident do not disclose what notification and monitoring costs are really being incurred, but the number of files in this case is huge. At even an unlikely low figure of $5 per file, the practice would be looking at $4+ million and that amount would shut down almost any medical service or practice. Even a smaller practice with only 10% of the files would be looking at 88K notifications, which would still threaten their survival.
My point here is healthcare organizations are prime targets for the bad guys, and cyber liability should scare you as much as malpractice threats. If you are in a management position in your practice, firm, or hospital, you need to face the fact that no matter how good your IT department is, you are still likely to be hacked. Your organization should be talking to your insurance agent about whether you are adequately insured with a company (there are many) that will give you forensic and legal experts to step in to protect you.
MIA COPA –Due to another death in the family, I have had to delay our promised free webinar on Ransomware. I will try to get an announcement out to you in the next few days.