What is a Data Breach?

The definition is generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of protected health information.
An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:

1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification.
2. The unauthorized person who used the protected health information or to whom the disclosure was made.
3. Whether the protected health information was actually acquired or viewed; and
4. The extent to which the risk to the protected health information has been mitigated.

In other words, you must PROVE that a breach did NOT occur. You are essentially guilty until you prove your innocence.

Although theft is still a major contributor of data breaches, activity from hackers are on the rise. Healthcare has the highest cost per breach and the United States is the highest cost per country. The average data breach in the U.S. costs $3.86 million while the average cost went down, healthcare went up to an average of $7.13 million per breach.

Breaches caused by malicious attack were at 52%, and breaches with customer PII was at 80%.

The average cost is about $150 per record and $175 for malicious attacks. For a small practice with only 5,000 patient records, that equals $750-$875K. Do you have an extra million sitting around to lose?

With the increasing cost and volume of data breaches, IT security is quickly moving from being considered as a technology issue to a larger business risk. It is no longer an option not to utilize an IT company that specializes in network security. Healthcare is a huge target, and every organization should fully vet their IT vendor. They are not all created equal. Aris works with some of the best in the industry, give us call if you need some guidance.

This security shift has increased interest in cyber insurance. We recommend that all organizations that come in contact Protected Health Information whether paper or electronic, invest in cyber liability insurance. It is just as important as your general liability, med-mal, and even car insurance! It is recommended to work with a qualified cyber liability agent to make sure you have the coverage you think you do. Be sure to read the exclusions page. Some policies will not pay out if the organization has not conducted a system wide risk analysis and documented their mitigation process. Again, if you need guidance, Aris has worked with several qualified companies.

The Office for Civil Rights investigates data breaches small and large. Always remember that if you cannot specifically document which records were breached, all records are considered to be breached.

For information on current OCR data breaches over 500 patient records, click below:
https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

For information on all data breaches large and small for all industries, click here:

https://www.privacyrights.org/data-breach

https://www.databreaches.net/news/

Click here to learn more how we can work together and get HIPAA compliant