The Community Health Systems breach exposing 4.5 million patients' data in 29 states is expected to be costly--the total bill could be somewhere between $75 million and $150 million, according to a calculation at Forbes.
The first class-action lawsuit was filed within hours after the breach was announced. And an attorney for the Office for Civil Rights said earlier this year that its crackdown on HIPAA violations over the past year will "pale in comparison" to those coming in the next 12 months.
OCR has levied nine fines totaling more than $10 million since June 1, 2013. That includes a record $4.8 million fine announced in May against New York-Presbyterian Hospital and Columbia University.
The Forbes article puts a price tag on the possible major costs in a breach:
- Remediation (technical, legal and administrative)
- OCR fines associated with HIPAA violations
- Identity theft protection or credit monitoring for patients
- Defending against both patient and shareholder lawsuits and settlements
- The incalculable cost of potential insurance fraud stemming from 4.5 million exposed Social Security numbers
It notes that Blue Cross Blue Shield of Tennessee estimated the total bill at $17 million for a breach two years ago involving about 1 million patient records. That included $7 million to improve its internal security and a $1.5 million settlement with OCR. It did not have patient or shareholder lawsuits, however.
The biggest potential cost, however, is to the healthcare system overall with 4.5 million Social Security numbers that could be used for medical insurance fraud--costs that add to everyone's health premiums.
Experts believe hackers used the computer bug Heartbleed to access the systems in the breach, and the FBI issued a "flash" alert last week warning that hackers are targeting healthcare organizations, Reuters reports.
Meanwhile, lawsuits from healthcare data breaches are becoming more sophisticated, growing beyond trying to show that exposure of patients' personal information led to financial harm.