Understanding the True Cost of a Data Breach
Clearwater recently conducted a webinar on the true cost of a data breach for a healthcare organization. Our CFO Baxter Lee enumerated the breach statistics and presented examples on notification costs, legal costs, OCR fines, state settlements, lawsuits, customer attrition, operational distraction, and more. The point is to understand the impact in order to secure the funds to mitigate the risks of a breach.
In the case of American Medical Collection Agency’s (AMCA) highly publicized data breach, the cost proved unrecoverable as its 42-year-old parent company Retrieval-Masters Credit Bureau filed for bankruptcy just weeks after disclosing the breach.
We at Clearwater advise organizations to calculate the risk of a data breach, not only for covered entities but also for their business associates. A breach of your patient data will affect your organization, even if it’s by a business associate.
Consider these headlines and timeline:
- August 1, 2018 to March 30, 2019. Hackers stole personal and medical information from American Medical Collection Agency (AMCA)
- February 28, 2019. Gemini Advisory identifies a large number of compromised records while monitoring dark web marketplaces
- March 1, 2019. Gemini Advisory makes several unsuccessful attempts to contact AMCA in order to alert victims
- March 1, 2019. Gemini Advisory successfully provides its findings to Federal Law Enforcement
- April 30, 2019. AMCA takes its payment portal offline
- May 10, 2019. AMCA breach impacted 200,000 patients – Gemini Advisory
- May 14, 2019. AMCA notifies Quest of the breach
- June 3, 2019. AMCA breach hits 12 million Quest Diagnostics patients
- June 5, 2019. 7.7 million LabCorp patients included in AMCA breach
- June 7, 2019. Connecticut and Illinois open investigation into Quest Diagnostics, LabCorp data breach
- June 10, 2019. Third SEC Filing on AMCA data breach, bringing total to over 20 million
- June 11, 2019. Quest, LabCorp, AMCA face breach lawsuits, state investigations
- June 17, 2019. AMCA Breach: 20 million victims, 19 class actions
- June 18, 2019. AMCA parent files Chapter 11 after data breach impacting Quest, LabCorp
The data breach resulted from cyber attacks seeking financial information off of the AMCA website, and the hacking continued for eight months before being detected. Retrieval-Masters learned of the breach “after a significant number of credit cards people used to pay their outstanding medical bills via the company site ended up with fraud charges on them later.”[i] There was apparently a delay in notification.
In the end, the breach involved protected data from Quest Diagnostics (12 million records), LabCorp (8 million), BioReference Laboratories (423,000), Carecentrix (500,000), and Sunrise Laboratories, adding up to more than 20 million records. [ii]
Pending lawsuits, state actions, and OCR fines, AMAC incurred the following costs associated with this breach:
- $10 million for 20 million recipients at $0.50/stamp
- $400,000 for IT professionals and consultants [iii]
- The loss of business from its two largest customers, LabCorp and Quest Diagnostics, in addition to two others – Conduent and CareCentrix. [iv]
These costs are only the beginning. Further costs are likely to occur from defending and settling lawsuits in addition to regulatory and state attorney general actions.
No organization wants to face such a devastating scenario. Performing an OCR-Quality Risk Analysis™ will enable your organization to identify gaps and close them before it’s too late. But it’s not enough that your organization does the analysis. You must require your vendors to do the same.
Addressing identified high risks will help your organization to avoid preventable breaches and not be the subject of the latest headline highlighting yet another healthcare organization failing to fulfill its obligations to protect its patients and their data.
OCR-Quality Risk Analysis™
Clearwater delivers solutions to hundreds of health systems, health partner organizations, medical device manufacturers, and federal institutions nation-wide. Our complete enterprise cyber risk management solution begins with the most comprehensive, industry-proven risk analysis available, as demonstrated by a 100% OCR acceptance rate. Learn more
We have assisted more than 400 customers to operationalize and mature their information privacy, security, compliance and information risk management programs. And in the process, we are raising the bar for safeguarding PHI, protecting millions of Americans and driving real value for the organizations we support and the healthcare industry at large.