A HIPAA breach carries a huge financial penalty and one the scale of that which recently affected Anthem Inc., is expected to result in costs of many tens of millions of dollars.
Anthem holds an insurance policy from the American International Group to protect against cyber crime and data exposures, and is covered for losses up to $100 million. Even this sizeable amount may be exhausted with the latest data breach.
The total cost, which is unlikely to be known for many months, may exceed the 100M barrier once the cost of issuing breach notifications, paying OCR penalties, implementing new security measures and fighting lawsuits are factored in.
Further costs must also be covered to mitigate any damage caused such as providing credit monitoring services to victims free of charge. Anthem originally offered a year of credit monitoring services but has since extended this to two-year. If 80 million individuals have been affected, damage mitigation costs alone will take up a sizeable chunk of the insurance payment.
The OCR has already announced that it is looking into the breach as a privacy violation, and could conceivably fine Anthem up to $1.5 million if the insurer is found not to have implemented sufficient controls to protect the data it holds on its plan members. If the OCR decides to conduct a full compliance audit, further penalties could also be issued for any non-compliance issues it discovers.
In addition to the threat of sanctions from the OCR, Anthem will also have to face civil suits seeking damages. So far four class action lawsuits have been filed against Anthem in California, Alabama, Georgia and Indiana, with victims seeking unspecified damages. One suit argues that claimants would have paid more for coverage to ensure data security and that they should have been charged additional costs, and all claim a lack of attention to security vulnerabilities were the reason for the breach.
A class action lawsuit seeking just $100 per individual would, if successful, cost the company 8 billion dollars although there must have been some harm or damage suffered for a damages claim to be successful.
However, if a case does succeed, the potential damages are likely to be higher than the $50 per individual which is typically seen in cases of credit card number theft. The disclosure of permanent identifiers such as Social Security numbers and medical ID numbers could conceivably result in a lifelong threat, and the damages claimed are therefore likely to be much higher.
The message to healthcare providers and insurers covered under HIPAA is it is best to invest in data security measures than have to cover the cost of a breach.