By Carolyn Crandall
The cost of poor healthcare security might have just gotten more expensive.
Earlier this month, Phoenix-based Banner Health announced the largest data breach of any hospital so far this year. Hackers gained access to the system’s servers, including those processing credit card information for cafeteria sales, and others containing data from health plan members and beneficiaries, affecting more than 3.7 million patients overall. While reports of breaches such as this one can be embarrassing to a hospital’s senior executives and certainly have an effect on its reputation, those are both “soft” costs. It’s the “hard” costs, the money that can affect the bottom line, that should have hospital administrators and their boards paying closer attention to their security postures…and perhaps their overall cybersecurity budgets.
What makes this story interesting is that Banner Health not only suffered a huge breach, but they are being sued for it.
An Arizona law firm has already filed a class-action lawsuit against Banner on behalf of a local physician whose information may have been affected by the breach.
In a statement to the press, Robert Carey, a partner in the firm Hagens Berman in Arizona said, “Health care people should be on the front edge of how to protect systems in leading the charge, and the lawsuit will help incentivize an improvement in security. There has to be a great enough cost on the back end to motivate people to do the right thing on the front end.” Ouch.
That cost may be continuing to rise when late last week, in a move that should have caught the attention of health care organizations and facilities everywhere, three law firms announced they are also investigating the possibility of filing a class action lawsuit against Banner Health.
Before last year, cyberattacks targeting health care providers were relatively rare and usually small in scope. Hacks of retailers, such as Target, were the ones that dominated the news.
Then, Anthem Inc. in Indiana suffered a breach that affected as 78 million people, the worst all time in the United States for health care providers. That same year, a hack of Premera Blue Cross in Washington affected 11 million people, and a hack of Excellus Health Plan Inc. in New York left 10 million people exposed, according to a database of health care related breaches maintained by the U.S. Department of Health and Human Services. These three attacks represent the largest breaches of health care providers ever.
Healthcare is now an extremely attractive target for hackers who typically are in it for the money. Traditional financial records, such as credit card and Social Security numbers, sell on the black market for about $1 each. Medical records — because they’re so much more data rich — cost about $75 each on the black market.
In a sobering comment for CISOs and senior healthcare executives, James Bilsborrow, an attorney with one of the firms considering the class-action suit said, “The health care industry has been known to have some of the worst cyber security systems of any industry that holds this kind of sensitive information. Typically, the banking industry is considered by cybersecurity to have some of the best systems, and the health care industry just hasn’t kept up.”
Bilsborrow’s agency is involved in class-action lawsuits involving three major security breaches at Anthem Inc., Premera Blue Cross and Excellus Health Plan Inc., all of which suffered breaches involving millions of customer’s exposed information. These three attacks represent the largest breaches of health care providers in history.
The attorneys involved say such lawsuits aren’t so much about big paydays but reducing the nightmare of consumers regaining identity once it has been stolen. They say these agencies should be persistent in keeping up with security changes in the face of continued attacks.
And these lawsuits are only part of the financial problem. This month, Downers Grove, Ill.-based Advocate Health Care agreed to pay $5.55 million to the U.S. Health and Human Services’ Office for Civil Rights to settle claims that it violated HIPAA.
The settlement is the biggest to-date HIPAA payment involving one entity.
The allegations against Advocate, the largest system in Illinois, involve electronic protected health information. In 2013, the OCR launched an investigation after Advocate submitted three different data breach reports on behalf of its subsidiary, Advocate Medical Group. In total, the breaches affected a total of 4 million individuals and included their names, demographic information, addresses, credit card numbers, and dates of birth, clinical information and health insurance information.
I haven’t gotten into how the breach was discovered or where the fault was with the security system. While those can be important points for those reporting on breaches themselves, for me this was secondary to the new level of damages that healthcare institutions can face. The point is not to illustrate just one breach and how it could have been prevented, but to convey the financial importance of re-examining your security posture, because the stakes just got a whole lot higher.
It means that investments in cybersecurity will begin to be weighed against the damage in hard dollars, not just soft, in the wake of a breach. I would read this as writing on the wall that healthcare industry and others for that matter, will need to reassess their security infrastructure and budgets so that they can be enabled to adopt new security strategies, products and services as the pressure gets higher.