The Cost of a Data Breach: Healthcare Settlements Involving Lost or Stolen Devices
Figure 1: Healthcare organizations are also
responsible for the data of their Business
Associates and their Business Associates’
subcontractors.
BU SINES S
A S SO CI AT ES
SUB C ON T R AC T OR S OF
BU SINES S A S SO CI AT ES
D ATA B R E A CH SE T T L EMEN T W I T H MINNE S O TA A G
One of the most destructive data breach cases of the past few
years involved a Chicago-based medical billing and revenue
management services company.
In July 2011, an employee of the organization left an unencrypted
laptop containing the PHI of 23,500 patients inside a rental car
which was subsequently stolen, never to be recovered. Data on
the laptop included patient names, dates of birth, social security
numbers, billing information, and medical diagnostic information.
Although there has been no report of any unauthorized use
of the data to date, the incident caught the attention of Lori
Swanson, Minnesota’s Attorney General, which led to a wider
investigation into the company’s business practices in the state.
The FTC7 alleged that the organization failed to:
• Provide appropriate security measures to protect consumers’
personal information
• Employ reasonable procedures to ensure that personal
information be removed from computers when it is no longer
needed
• Adequately restrict employee access to personal information
based on an employee’s need for the information
HE A LT H C A R E D ATA B R E A CH—T HE C O N SEQ UEN CE S
In July 2012, the Healthcare organization settled the HIPAAHITECH complaint instituted by the Minnesota Attorney General
for $2.5 million but that was just a fraction of the overall cost to
the business. The organization agreed not to conduct business
in the state of Minnesota for a minimum of two years and up to
six years. The decision of when it may resume business after the
first two years is at the sole discretion of the Attorney General.
MINNESOTA 2012-2013
Minnesota AG HIPAA-HITECH Settlement
$2.5 million
Annual loss to the business
$23 – 25 million
(for at least 2 years and up to 6 years)
Class action settlement
$14 million
Total number of records breached
23,500
Total cost per record
$2,000 – 6,000
The organization signed a consent decree at the insistence of
the FTC. Pursuant to the decree, the organization must have an
immediate audit of its data security procedures and protocols
by an independent third-party auditor, with such audits recurring
every two years for the next twenty years.
Before the breach, Minnesota had been home to the
organization’s largest customer. However, this customer cut ties
with the organization after the investigation.
The impact this case has had on the organization’s bottom
line is significant—revenue losses from the state of Minnesota
alone are estimated at $23-$25 million per year. The case also
prompted two more federal investigations, including a Senate
hearing, and a class action lawsuit by shareholders which was
settled in September 2013 for $14 million.
Whitepaper | 3
Figure 2: Timeline of events in the Minnesota case
07/11:
Laptop stolen
from employee
rental car
12/13:
FTC settlement
07/12:
$2.5M settlement
01/12:
Minnesota
AG suit filed
06/13:
Class action
suit filed
04/13:
CEO replaced
The organization was in turmoil following the investigations,
lawsuits, and settlements and the board replaced both the CEO
and the CFO.
This particular settlement is an important reminder that the Office
for Civil Rights is not the only enforcer of health information,
privacy, and security regulations. While not as common, the FTC
can also exercise its authority to find a lack of data security as
an unfair or deceptive trade practice under Section 5 of the FTC
Act. The need for Healthcare organizations to remain compliant
with HIPAA not only protects them from HIPAA auditors, it also
ensures they are not exposed to additional enforcement actions
from other regulatory and government bodies.
This data breach resulted in direct costs in excess of $60 million
in fines, penalties and lawsuit settlements. This does not include
the legal fees, the cost of the new security protocols and audits,
nor the lost revenue – all from the loss of a single laptop.
D ATA B R E A CH SE T T L EMEN T S W I T H O CR
No verdicts have been made against any Healthcare organization
for non-compliance with HIPAA regulations. All cases to date
have resulted in settlements as Healthcare organizations do not
want to be the first to set a very public precedent in these cases.
In May 2014, a Texas-based national Healthcare company9
agreed to a settlement of $1.7 million with the OCR for privacy
violations relating to an unencrypted laptop that was stolen from
a Missouri physical therapy
center in November 2011. The
TEXAS 2014
unencrypted laptop contained
OCR Settlement
870 health records.
$1.7 million
Total records breached
870
Total cost per record
$1,954
In addition to the fines, the
company agreed to adopt a
corrective action plan and
to document its efforts at
remediation.
In April 2014, an Arkansasbased Healthcare company10
08/13:
CFO replaced
ARKANSAS 2014
OCR Settlement
$250,000
Total records breached
148
09/13:
$14M class action
settlement
agreed to a settlement of
$250,000 with the OCR for
HIPAA violations. In February
2012, an unencrypted laptop
containing the PHI of 148
individuals was stolen from
an employee’s car.
While the company encrypted
its devices following
discovery of the breach, OCR’s
$1,689
investigation revealed that it
failed to comply with multiple requirements of the HIPAA Privacy
and Security Rules. As part of the settlement, the company is
required to provide the OCR with an updated risk analysis and
corresponding risk management plan that includes specific
security measures to reduce the risks to and vulnerabilities of
its PHI. The company is also required to provide data security
training to its employees and document all compliance efforts.
Shortly after the settlement, the company was acquired by a
larger organization through a stock-purchase agreement.
Total cost per record
D ATA SEC UR I T Y C O MP L I A N CE
These cases offer a frightening insight into the consequences
of human error. If each of the organizations had the correct
security policies and solutions in place, the employees would
have reported the loss of the laptops and IT could have taken
appropriate measures such as:
•
•
•
•
•
Freezing the device so it becomes unusable
Remotely deleting the data
Retrieving data from the device
Tracking the device using geolocation
Running reports to prove compliance (data delete logs,
encryption status reports, whether data was accessed by
unauthorized users)
If these organizations could have developed sufficient evidence
of a “low probability” that PHI had been accessed or transferred
by unauthorized persons, HIPAA-HITECH statues and regulations
Whitepaper | 4
Please complete the form to gain access to this content
