Significant exposure
The scale of protected health information (PHI) maintained by healthcare organizations and the digitization of electronic health records have increased the vulnerability to large breaches. Compulsory breach notification laws provide a great deal of exposure. In addition to the patchwork of state laws affecting all businesses, the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) operate at the federal level. These laws require time-consuming and labor intensive internal investigations and specialized outside vendors, and can often disrupt a healthcare organization’s ability to prioritize patient care.
Class action lawsuits
The publicity and patient dissatisfaction that surround a cyber breach have spurred a wave of legal complaints against organizations big and small. Relying on a variety of medical privacy laws, enterprising plaintiffs’ lawyers have filed complaints seeking billions of dollars in damages. The specter of such damages, and the sizeable costs of litigation, often push organizations to settle even in the absence of any clear harm to the affected patients.
Regulatory investigations and penalties
State and federal regulators have made one point clear: a significant breach of patient information will result in monetary penalties, onerous corrective action plans, and on-going audits. Whether through the strict data privacy and security requirements of HIPAA/HITECH, or the increasing interest of state attorneys general in enforcing medical privacy laws, the regulatory landscape for healthcare organizations carries an immense amount of risk. Regardless of any legal liability, a cyber breach greatly increases the risk of reputational and brand damage.