Cost of Noncompliance: Breaches, Reputational Damage, and Fines

In addition, the cost of responding to breaches and remediating the vulnerabilities that caused the incident are much higher for noncompliant organizations, and data breach reputation damage can be detrimental to your business.

Cost of Noncompliance: Breach Detection, Mitigation, and Response

Each year, Ponemon Institute releases a report discussing the average cost of a data breach for the previous year. According to Ponemon, the average cost per lost or stolen record was $408, so even a relatively small breach that affected just 500 individuals could cost an organization $200,000. However, the average cost of a healthcare data breach in 2021 was much higher.

The 2021 cost of healthcare data breaches soared to an average of $9.3 million per incident –  a 29.5 percent increase over 2020’s average of $7.13 million. 

The likelihood of being breached as a healthcare organization is also shockingly high. On average, there are 600 cyberattacks a week that target healthcare organizations alone, which generally come at a higher cost per incident. Hacking incidents can be more costly for many reasons including the time it takes to detect the incident, remediation efforts, identity protection for affected patients, contracting a third-party cybersecurity firm, and recovering patient data.

Sending Patients Breach Notification Letters

In the healthcare industry, organizations must alert affected individuals via mail in the event of a data breach. Depending on how many individuals are affected by the incident, the cost of notification can be astronomical. 

In one such case, the American Medical Collection Agency (AMCA) experienced a large-scale breach in which they had to send 7 million individuals breach notification letters, costing the organization $3.8 million. 

Data Breach Response and Remediation

Many small-mid sized businesses don’t have dedicated IT personnel on staff. When an organization experiences a data breach, remediation efforts must be implemented to ensure that another breach doesn’t occur. An organization may need to hire IT experts to address security issues and close security gaps. AMCA, for instance, spent $400,000 to hire an outside IT firm to assist with breach response. 

Credit Monitoring and Identity Theft Protection

Under HIPAA, organizations that experience a data breach must offer affected individuals free credit monitoring and identity theft protection for two years. Credit monitoring can cost between $10 to $30 a month per individual, or $240 to $720 for two years of credit monitoring per person. 

Data Breach Reputation Damage

The negative impact on an organization’s reputation can be the most costly and often overlooked aspect of a data breach. Building a reputation can take years, but it only takes one incident to damage an organization’s reputation permanently. When an organization is breached, and that breach affects more than 500 individuals, the details of the incident are posted to the Office for Civil Rights wall of shame. 

According to Ponemon, the lost business cost of a data breach was nearly $1.6 million.

Lost business costs include: 

• Business disruption and revenue losses from system downtime
• Cost of lost customers and acquiring new customers
• Reputation losses 
• Diminished goodwill

Data breach reputation damage can be detrimental; AMCA lost three of its’ largest clients due to the data breach, a major contributing factor to the company filing for bankruptcy. 

Cost of Noncompliance: Failure to Comply with HIPAA

HIPAA compliance and cybersecurity go hand-in-hand. Many of the steps required to implement a HIPAA compliance program also reduce the risk of breaches. However, failure to comply with HIPAA comes not only with costs to deal with breaches but also costly HIPAA violation fines.

Security Risk Assessments and Remediation

One of the most critical parts of both HIPAA compliance and cybersecurity is conducting annual security risk assessments (SRAs). SRAs analyze your organization’s administrative, technical, and physical safeguards to ensure they are adequate to maintain the confidentiality, integrity, and availability of protected health information (PHI). By conducting an SRA, weaknesses, and vulnerabilities to your PHI safeguards are identified, allowing you to create remediation plans to close your deficiencies. Organizations that fail to conduct an annual SRA fail to comply with HIPAA standards and leave their organization vulnerable to breaches.

Employee HIPAA Training and Policies and Procedures

A large portion of healthcare breaches occur due to human error, whether this is due to a lack of HIPAA or cybersecurity awareness. The HIPAA regulation defines several types of incidents as breaches, including unauthorized access or disclosure of PHI and hacking incidents. To prevent these types of incidents from occurring, employees must be trained on HIPAA basics, your organization’s HIPAA policies and procedures, and cybersecurity best practices. Training on HIPAA basics and policies and procedures provides employees with guidance on what the permitted uses and disclosures of PHI are regarding your organization and their job responsibilities. While cybersecurity best practices training provides employees with an understanding of how to recognize phishing attempts.

Business Associate Agreements and Vendor Management

Ponemon Institute determined that 54% of healthcare vendors had experienced at least one data breach affecting protected health information (PHI). However, healthcare providers continually neglect their obligation to vet vendors they are working with adequately. Although many healthcare providers somewhat address their vendor vetting obligation by sending risk assessment questionnaires, 41% continue to work with vendors with gaps in their security and privacy practices. 

Additionally, 42% of healthcare providers fail to obtain proof that vendors are securing PHI. Having a signed business associate agreement (BAA) with your vendors requires them to be HIPAA compliant and to maintain their compliance. It also limits your liability should the vendor be breached, as only the culpable party would be held responsible. Without a signed BAA, both parties are liable and would be subject to HIPAA violation fines.

HIPAA Violations and Fines

Not all breaches are considered HIPAA violations. HIPAA violations occur when an organization fails to comply with HIPAA standards. But the HHS’ OCR doesn’t only investigate organizations that have suffered a breach; they also investigate organizations that have had a complaint issued against them. This complaint can come from an organization employee or a patient. 

Tier 1 is the “No Knowledge” Tier: $100-$50,000 Per Incident

Under this tier, an organization did not know (and, by exercising reasonable diligence, would not have known) that a member of its workforce violated HIPAA.

Tier 2 is the “Reasonable Cause” Tier: $1,000-$50,000 Per Incident

Under this tier, the violation was due to reasonable cause, not willful neglect. “Reasonable Cause” means an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated a HIPAA regulation.

Tier 3 is the “Willful Neglect – Corrected” Tier: $10,000-$50,000 Per Incident 

In this tier, the violation is due to willful neglect, but the violation is corrected promptly.

Tier 4 is the “Willful Neglect – Not Corrected” Tier: $50,000 Per Incident

In this tier, the violation is due to willful neglect and is not corrected promptly.

HIPAA Compliance Reduces Breach Costs

An effective compliance strategy (including HIPAA compliance) may be one of the best tools to control the cost of a data breach. The average cost of a data breach at organizations with low compliance failures (resulting in fines, penalties, and lawsuits) was $3.35 million.

On the other hand, organizations with high levels of compliance failures suffered average data breach costs of $5.65 million – 67.7 percent more than the group with low levels of compliance failure.

Incident Response Plans

Organizations with a tested incident response plan in place lowered their cost per incident by 54.9%. The average data breach takes 212 days to identify and 75 days to contain. Part of HIPAA compliance is implementing an incident response plan to facilitate quick detection and response to incidents, drastically reducing breach costs. 

Encryption, AI, and Analytics

Companies that had encryption, artificial intelligence-based security solutions, and security analytics saved anywhere from $1.25 million to $1.49 million per incident. To be HIPAA compliant, healthcare organizations must encrypt their electronic protected health information (ePHI) to prevent unauthorized access to sensitive data. HIPAA also requires access to ePHI to be tracked and monitored, allowing organizations to respond to incidents quickly.

Zero-trust Security Strategy

Organizations that had adopted a zero-trust security strategy spent an average of $1.76 million less per incident than organizations that had not. The Zero Trust security model “assumes that a breach is inevitable or has likely already occurred, so it constantly limits access to only what is needed and looks for anomalous or malicious activity.” Cybersecurity is also an essential part of HIPAA, especially with the newly passed bill that requires the HHS to incentivize healthcare organizations that adopt a well-known cybersecurity model, such as zero-trust.