Counting the Costs of a Data Breach
Fallout from a data breach affects much more than a provider’s bottom line. HIStalk looks at the impact ransomware attacks have on provider credibility and patient loyalty, plus offers tips on shopping for identity theft protection services.
By @JennHIStalk
Data breaches continue to make headlines, and while health IT system infiltrations may not garner as much press as those allegedly perpetrated by Russian hackers, they have providers and patients on edge all the same.
Much has been made of the breaches themselves – how attackers got in, how much ransom was paid, resultant HIPAA violations, etc. – yet little focus has been placed on the post-breach cleanup, which has perhaps the greatest impact on patients and the reputation of healthcare organizations.
In attempting to handle the aftermath, providers typically send out communications with language similar to that included in Rainbow Children’s Clinic’s (TX) recent letter to the 33,368 patients affected by an August ransomware attack on its servers:
Notification letters mailed today include information about the incident and steps potentially impacted individuals can take to monitor and protect their personal information. Rainbow Children’s Clinic has established a toll-free call center to answer patient questions about the incident and related concerns. The call center is available Monday through Friday from 8:00 am to 8:00 pm, Central Time and can be reached at 1-844-607-1700. In addition, out of an abundance of caution, Rainbow Children’s Clinic is offering potentially impacted individuals monitoring and identity theft resolution through Equifax at no cost. Additional information and recommendations for protecting personal information can be found on the Rainbow Children’s Clinic website at www.rainbowchildrens.com.
The establishment of call centers, websites, and free identity theft resolution for affected individuals may seem logical, but they all come at a cost that some providers just can’t afford. Athens Orthopedic Clinic (GA) has suffered a tremendous amount of community fallout in the wake of a June ransomware attack that affected 200,000 patients. Patients have taken to the local paper and social media to voice their frustrations with not being told immediately about the breach and to condemn the clinic for not offering to pay for credit monitoring.
“Many patients are upset and frustrated with the situation,” AOC CEO Kayo Elliott said in a statement. “And of course, they wish we could pay for extended credit monitoring. So do we. We truly regret that we are unable to do so, as we are not able to spend the many millions of dollars it would cost us to pay for credit monitoring for nearly 200,000 patients and keep Athens Orthopedic as a viable business. I recognize and am truly sorry for the position this puts our patients in.”
The mea culpa continued with an op-ed authored by AOC surgeon Chip Ogburn, MD who pleaded with the community for understanding and brought to light the impact AOC’s cleanup methods have had on its reputation. “We are upset with the potential mark this leaves on the credibility and integrity of our clinic,” he wrote in the Athens Banner-Herald. “For 50 years we have endeavored to provide Athens with the highest level of orthopedic care and are even more committed to that promise today.”
Despite AOC’s public-relations efforts, it’s been reported that two law firms are investigating the possibility of pursuing class-action lawsuits against the clinic. Such PR nightmares, while a potentially business-ending burden for AOC, highlight the importance other providers need to place on preparing for such attacks. And while security assessments should be done and protections put in place, clean-up costs like credit monitoring services must be taken into account, too. Preparing for, dealing with, and cleaning up data breaches seem to have become a cost of doing business.
Providers Get Proactive With Identity Theft Protection Services
As with any type of data breach, patients are typically directed to the credit-monitoring and reporting services of three institutions – TransUnion, Equifax, and Experian. While they aren’t the only companies that offer identity protection services, they are the most well known.
“TransUnion and other credit bureaus are resources for monitoring and protecting credit,” explains Gerry McCarthy, president of TransUnion’s healthcare solutions. “Our monitoring services include fraud alerts for any credit changes, access to live professionals to discuss any credit issues, and optional identity restoration services. In the event of a breach, providers will work with TransUnion and the other credit bureaus to set up monitoring services for affected patients.”
“We are starting to see proactive contracting with our healthcare customers who already utilize our RCM services,” he adds. “They are preparing to act quickly in case of a breach. Our credit and credit-monitoring usage by healthcare organizations has increased dramatically over the past two years. We believe this will be a standard service offered in both healthcare and other industries that deal in both consumer healthcare and financial data.”
Michael Bruemmer, vice president of consumer protection at Experian Consumer Services, backs up McCarthy’s provider utilization figures. “Last year, we serviced about 3,600 different data breaches and 40 percent of them involved healthcare, including pharma, payers, and business associates,” he says. “We’re seeing the biggest growth in smaller entities tied to a rise in ransomware. About 25 percent of our clients that we’ve been involved with in these circumstances have actually paid the ransom.”
With such an increase, Bruemmer is certain that proactive identity theft protection services will soon become a regular cost of doing business, and perhaps even a customer service / loyalty differentiator. He cites the Blue Cross Blue Shield Association as an example: “They announced last August that all of their plans – 34 separate BCBS entities around the country – will provide free identity theft protection for any of their current members if they want to sign up. This would be in advance of a breach. That was something that the association got behind, and I think that’s a great leading example of where identity theft protection is going to be used as a preventative measure for all patients, employees … even BAs and their staff. If a breach happens after that, they don’t have to scramble and go through the process because people already signed up for it.”
“I think it’s important for patients, especially if they’re switching providers or reviewing their physician’s annual privacy policy, to start asking questions like, ‘Where do you have my records? Where are they being stored? What security practices do you have in place? If something bad were to happen, would you respond?’ I think those are fair questions to ask with any type of provider, whether it’s your dentist, doctor, or pharmacist, let alone your insurance company.”
Shopping Around
Providing such services ahead of a breach sounds nice in theory, but how viable of a solution is it for the average provider, especially independent practices that operate with little cash on hand? Bruemmer explains that Experian’s pricing is based on a number of factors.
“We have a rate card that we publish out to clients that request it,” he says. “It’s an a la carte menu with prices tiered from quantity one up to the millions of people that could be affected. There are various pricing tiers and it is by each service. You have a cost for notifications, a cost for call center, and then a cost for the product itself. It depends on the circumstances, because in most cases, you’re going to be pricing by the number of people that actually sign up for a product. Let’s say there are 10,000 people affected by a breach. We would charge a wholesale rate for identity theft protection for only those people who subscribe to that protection. We then bill that back to the client who paid for this on behalf of the patients at the end of the breach.”
Aside from price, Bruemmer suggests that providers look at a credit-monitoring company’s experience, performance record, and response time when shopping around for such services. “They should be asking, how many breaches have you serviced? Have you serviced more complex breaches? Will you service small breaches? And then they should look at the performance record by asking, how big a breach have you serviced? What’s your customer satisfaction rating? Do you have any complaints? Any Triple A ratings from the Better Business Bureau?”
“Those are the typical things to look for,” he explains. “The third most important differentiator is response time, because the clock is ticking after a breach is discovered. The response time to a breach – determining how many people were affected and what type of information was compromised – to become legally compliant is important. The fourth factor is actually price, or the price-value relationship.”
Don’t Forget to Use It
Bruemmer stresses that once a provider has invested in such services, it’s important that their affected patients actually use them. “My advice for patients is to, first of all, read the notification letter, email, or visit the website of your provider. Second, take advantage of the services made available to you free of charge. There’s no reason not to sign up for it. Some consumers worry about giving us their information, but we’ve already got things like their Social Security numbers. We don’t allow fraudsters to get in. Last but not least, be curious about things that might happen and ask questions. I’ve already mentioned the questions you’ll want to ask a new provider, but also watch out for any new accounts, any unsolicited emails or letters that you might not normally receive. Those might be early indicators that someone is trying to get more pieces of your identity or use your identity against you. The more curious you are, the easier it is to spot these things. It goes without saying that you should pay attention to the free credit monitoring report or Dark Web service alerts included as part of your provider’s identity theft protection package. We have some people that sign up for the service and they never look at their alerts, which is just unconscionable.”
Be Proactive to Keep the Doors Open
Providers eager to avoid AOC’s predicament should, as McCarthy stresses, “be proactive and ensure they have contingency plans to protect patient information in case of a data breach. This includes having a relationship with a credit monitoring service to protect that information, the long-term identity of patients, and their credit.” It seems that in this digital day and age, taking such proactive measures might also just save a provider’s reputation.
The Shkreli Awards, celebrating excellence in quackery! Be the Best at being the Worst! Innovate your way to prison and…