HIPAA doesn’t allow shortcuts when it comes to responsibility for patient privacy. But more than 162,000 individuals are receiving a breach notification letter even though the medical practice hasn’t determined if they were truly affected by the breach.
Gastroenterology Consultants in Houston experienced a ransomware attack in January. The practice decided to notify all the potentially affected individuals because the cost of investigating the details was so high. In a statement posted on its website in March the practice said “… the time and effort to manually review thousands of documents was not cost-effective.”
Breach Notification Requirements
Gastroenterology Consultants is subject to both HIPAA and Texas breach notification requirements that require notification no later than 60 days after discovery of the breach. HIPAA requires that the notice be sent to each individual whose unsecured protected health information (PHI) has been, or is reasonably believed to have been, accessed, acquired, used or disclosed as a result of the breach with a description of the types of PHI that may have been exposed.
But the March 19 notice posted on their website doesn’t comply with these requirements. It is late and ambiguous. The ‘Notice to All Patients’ is only a frightening warning that ‘some’ of their PHI may have been exposed. And it is coupled with the excuse that a thorough breach investigation was ‘not cost-effective.’
Healthcare Data Breaches are Expensive
There are multiple reasons why breaches are expensive. There is the cost of the initial forensic investigation to determine exactly what happened, what data was stolen and whether it can be recovered. This is just the beginning. Legal fees, practice downtime, costs of notification to affected patients, managing public relations and media, responding to an Office for Civil Rights investigation, and loss of reputation all add up. Add to that any ransom paid to the attackers, and the costs are through the roof. While data breaches are rising throughout the world and affecting every industry, healthcare costs are rising more than any other sector.
While paying a ransom demand is tempting, most cybersecurity experts warn against it. There is no guarantee that the criminals will keep their word and not sell the data or attack again. Paying ransom also encourages the bad guys to keep attacking others. The FBI and the Cybersecurity & Infrastructure Security Agency (CISA) both recommend against paying ransom.
It is likely that the fallout from this breach and the notification will continue. Stay tuned.