When it comes to cybersecurity, healthcare organizations, so far, haven’t taken big enough financial or reputational hits to prompt them to invest in appropriate digital defenses.
An analysis by Politico of breaches at Community Health Services in 2014 and Anthem in 2015, which together affected more than 83 million patients, finds that such attacks haven’t significantly hurt the stock prices of either.
In earnings calls since, the article points out, analysts have not questioned the two organizations about the breaches or the potential repercussions; one investment bank analyst called the Anthem breach a "normal business risk."
Still, according to the Ponemon Institute, breaches have cost the healthcare industry $6.2 billion, with the average cost to an individual organization $2.2 million.
The industry itself, and government regulators have been criticized for being too lax about cybersecurity. Healthcare is seen as less prepared to fend off attacks than retail or financial services, for instance.
The Office for Civil Rights, however, has been levying some hefty HIPAA enforcement fines of late.
And even through the class-action lawsuits filed after breaches most often are dismissed, that could change, Kirk Nahra, a privacy lawyer with Wiley Rein, tells Politico.
"If a significant court says, you know what, the fact that your data is out there is in itself an injury. As soon as you have a case like that, you’re going to see thousands of these cases,” Nahra says.