Community Health Systems breach cost estimates as high as $150 million

The Community Health Systems breach exposing 4.5 million patients' data in 29 states is expected to be costly--the total bill could be somewhere between $75 million and $150 million, according to a calculation at Forbes.

The first class-action lawsuit was filed within hours after the breach was announced. And an attorney for the Office for Civil Rights said earlier this year that its crackdown on HIPAA violations over the past year will "pale in comparison" to those coming in the next 12 months.

OCR has levied nine fines totaling more than $10 million since June 1, 2013. That includes a record $4.8 million fine announced in May against New York-Presbyterian Hospital and Columbia University.

The Forbes article puts a price tag on the possible major costs in a breach:

  1. Remediation (technical, legal and administrative)
  2. OCR fines associated with HIPAA violations
  3. Identity theft protection or credit monitoring for patients
  4. Defending against both patient and shareholder lawsuits and settlements
  5. The incalculable cost of potential insurance fraud stemming from 4.5 million exposed Social Security numbers

It notes that Blue Cross Blue Shield of Tennessee estimated the total bill at $17 million for a breach two years ago involving about 1 million patient records. That included $7 million to improve its internal security and a $1.5 million settlement with OCR. It did not have patient or shareholder lawsuits, however.

The biggest potential cost, however, is to the healthcare system overall with 4.5 million Social Security numbers that could be used for medical insurance fraud--costs that add to everyone's health premiums.

Experts believe hackers used the computer bug Heartbleed to access the systems in the breach, and the FBI issued a "flash" alert last week warning that hackers are targeting healthcare organizations, Reuters reports.

Meanwhile, lawsuits from healthcare data breaches are becoming more sophisticated, growing beyond trying to show that exposure of patients' personal information led to financial harm.

To learn more:
- read the Forbes article
- here's the Reuters story

Suggested Articles

An assessment looking at 12 health systems that allow patients to download their health records to their smartphones via APIs finds modest uptake.

The National Institutes of Health-led All of Us precision medicine project has enrolled 230,000 participants with another 40,000 people registered.

Hospitals must pursue a deliberate strategy for managing their public image—and a powerful tool for doing so is inpatient clinical data registries.