I know that all of you already know HIPAA security. And I’m sure that you don’t need a recap about the ramifications of HIPAA violations.
Frankly, every single IT security company is saying pretty much the same things. Warning about violations for this or that. Telling you that you’re not doing enough and that the government will penalize you—either CMS will fine your organization for violations directly or through reimbursements.
You get that.
And I’m pretty sure the government isn’t going to hunt you down and blead you dry. It’s just not in their best interest. In fact, rural health organizations are the bread and butter of your communities. If you’ve mistakenly violated some part of HIPAA, I think the odds of you getting slapped with a big fine is not very large.
BUT, what’s more concerning are the other ramifications from not entirely protecting your patient’s protected health information (PHI).
A couple of weeks ago, we saw how much a hospital might have to shell out if a data breach happens.
WAY back in 2014 the Tennessee-based Community Health System’s (CHS) underwent a cyberattack, where patient data was seized in a cyberattack.
NOW in 2019, these patients are being compensated by CHS.
Let me explain…
In 2014, CHS discovered malware installed on their network. This malware (which is short for malicious software) allowed unauthorized individuals access to patient information between April and June of 2014.
Cybersecurity experts believe that the actors behind this attack were based somewhere in China.
The malware attack had a sole purpose of obtaining sensitive data in an attempt to steal individual identities. The investigation pursuing after the attack confirmed that patient data, including names, addresses, phone numbers, dates of birth, Social Security numbers—were all stolen. Nearly 4.5 MILLION patient records were stolen in the attack.
At the time, this had been the largest healthcare data breach reported on US soil (and still ranks as one of the top 10 attacks of all time).
Following the breach, many lawsuits were filed by patients seeking compensation for theft of their information. Over time, these lawsuits consolidated into a single suit, which CHS attempted many times to dismiss.
At this point—CHS has agreed to a settlement to this suit. (And the news isn’t great for the hospital system).
The hospital has agreed to two different payments for victims:
Out-of-pocket expenses—the hospital system agreed to pay any out-of-pocket expenses as a result of the breach or to those that can show evidence of time lost securing their accounts—can claim up to $250 per claimant.
Identity theft—for individuals that have experience identity theft or fraud, are eligible up to $5,000 per claim.
On top of this, the hospital has racked up nearly a million dollars in legal fees—also covered by the settlement. Along with a spate payment of $3,500 for each representative of the class action suit.
Does this seem fair to you?
What if your hospital underwent a cyberattack—to the likes of CHS, where a large number of records were breached?
What if I told you, hackers are developing new techniques to access your network right this very minute? Last week, cybercriminals devised a new deceitful way of getting into hospital networks by compromising your team’s social media credentials.
They then mine their social media pages for relevant information, with intent of penetrating your hospital’s network.
Does it seem fair to you that a judge find your hospital in violation—even when you are trying your best to keep your hospital afloat?
Contact us today for a free hospital ransomware vulnerability assessment.
