How much could a data breach cost your medical practice? Part I

By John Southrey, CIC, CRM

Within the past month, I’ve received two separate “Security Update” e-mails from an antivirus vendor I use on my home PC advising me to check/scan for malware known as ZeroAccess and, most recently, a Zeus variant. The former is a “botnet” that hijacks computers for the financial gain of cyber criminals and the latter is a “trojan virus” that takes hidden control of computers and intercepts online banking sessions. Both updates warned these data security threats or “infections” were spreading across the US and in Europe with millions of computers infected worldwide netting cyber criminals millions of dollars in financial gains.

Of course, I use a reputable anti-virus and malware program that runs in real time with automatic updates and scheduled scans on my PC. But what if it didn’t halt these infections and they shut down my computer or compromised my data? I’m not a physician, so I don’t store any Protected Health Information (PHI) or Sensitive Personal Information (SPI) other than my own in my computer, nor do I depend on it for revenue-generation.

However, if I did possess others’ PHI or SPI, I would be considered a “covered entity” by the State of Texas and subject to the new state medical privacy law known as House Bill 300 (H.B. 300). This law increased penalties up to $1.5 million for privacy breaches of PHI and SPI and added more stringent protections than those found in existing federal privacy laws such as HIPAA and HITECH. (H.B. 300 went into effect 9/1/12 and it’s been dubbed “HIPAA on steroids” by some). Therefore, the potential impacts of third party breach violations under H.B. 300 can be significant.

According to DATALOSSdb, medical practices accounted for 18% of all cyber incidents in 2011. As a medical professional, is your practice ready to respond effectively to a first party or third party cyber liability loss caused by a security breach of you or your patients’ private information? Have you considered the loss of revenue and extra expenses you could incur to deal with a cyber-related interruption in your practice, as well as the potential revenue loss and costs due to damage to reputation from an adverse media report or patient notifications?

In a recently published study, The Third Annual Benchmark Study on Patient Privacy & Data Security Cost of Cyber Crime conducted by the Ponemon Institute, the authors noted, “According to the organizations in this study, the average number of lost or stolen records per breach was 2,769 …. Other research conducted by Ponemon Institute has found the average cost per one lost or stolen record is $194. Based on the average number of lost or stolen records in this study, only one data breach could have an economic impact of about $537,186.” The Ponemon Institute also developed a free online “Data Breach Risk Calculator” that illustrates the potential costs from a data breach.

The key then is having a strategy for protecting all sensitive data and the proper privacy and security procedures in place beforehand, as it’s much easier to prevent a data breach before it happens than it is to undo it afterward. Become informed and at least contact your commercial insurance agent or medical professional liability carrier to discuss what resources they have to help you avert and insure against cyber liability losses. In the latest edition of TMLT’s the Reporter 2012 Volume 6 on pg.3, there’s a series of cyber liability questions to help you focus on what could go wrong.

Please share your thoughts about cyber risks in the comments section. Visit us in a few weeks for part two of this blog post.