Being right is sometimes a double-edged sword. In our 2015 Data Breach Industry Forecast, the Experian Data Breach Resolution team predicted that healthcare-related data breaches would continue to be a growing concern in the coming year. Already, the news is verifying our prediction.
As of the last week of February, 2015, 29 healthcare industry-related breaches had been reported, compromising nearly 88 million records and accounting for more than 99 percent of all compromised records in the first two months of the year, according to the Identity Theft Resource Center. Without question, the Anthem Inc. breach was the largest of the lot, exposing the private information of an estimated 8.8 million to 18.8 million consumers. Those preliminary estimates for the Anthem breach already surpass the total number of records involved in all the medical/healthcare industry breaches that occurred in 2014 – 8.2 million, based on ITRC statistics.
Data breaches are an ever-growing risk for all businesses, but nowhere, perhaps, is their threat and impact more apparent than in the health-care industry. When a data breach occurs in any industry, it puts the financial well-being of both exposed consumers and the breached company at risk. When a health-care breach occurs, consumers – often rightly – fear their very health may also be in jeopardy. The reputational damage can be devastating. So can the monetary costs. CNET reported that the cost of Anthem’s breach could top $100 million, a tab that may tap out the insurer’s cyber-insurance policy.
Having a clear data breach response plan that addresses remediation should be a priority for all healthcare industry organizations, yet ample evidence indicates the industry at large needs to do better.
Distressingly, more than half (54 percent) of the healthcare industry IT and security professionals surveyed for the 2013 HIMSS Security Survey said their organizations spent less than 1 percent of its overall IT budget on data breach/cyber incident remediation. Eighteen percent spend between 1 and 3 percent, 2 percent spend 7 to 12 percent, and a stunning 20 percent didn’t know how much they spent on remediation. What’s more, when a breach occurred, notification actions were inconsistent; 79 percent said they notified affected patients, 47 percent notified the government, and half with a breach that impacted more than 500 patients reported it to the local media.
Underwritten by Experian Data Breach Response, the HIMSS report concluded that health-care organizations need to improve their security measures, and we concur. An effective data breach response plan is a vital tool to protect a healthcare organization from the potentially monumental negative fallout of a data breach.