Hospital Chain Breach: How Expensive?Community Health Systems Says Cyber-Insurance Will Help
The price tag for resolving the data breach at Community Health Systems that affected 4.5 million patients could potentially exceed $100 million, by some estimates. But how much will cyber-insurance cover?
In an 8-K filing with the Security and Exchange Commission on Aug. 18, Community Health Systems says the 206-hospital chain "carries cyber/privacy liability insurance to protect it against certain losses related to matters of this nature. While this matter may result in remediation expenses, regulatory inquiries, litigation and other liabilities, at this time, the company does not believe this incident will have a material adverse effect on its business or financial results."
But keep in mind, the breached retailer Target Corp, which also has cyber-insurance, said on Aug. 5 that of its estimated gross breach expenses of $236 million so far, only about $90 million will be covered by insurance (see Target's Breach Costs Continue To Mount). That December 2013 incident compromised 40 million credit and debit cards and the personal information of 70 million customers (see Target Breach: By the Numbers).
So it remains to be seen how much of Community Health Systems' breach tab actually will be covered by cyber-insurance - and how much the hospital chain will have to pay.
CHS did not respond to a request for comment on its breach expenses.
The Value of Insurance
"Just about every healthcare organization today needs cyber-insurance because they have electronic health records, patient portals and are exchanging patient data online," says Brian Evans, senior managing consultant at IBM Security Services.
"Cyber-insurance policy coverage and cost will depend on a variety of factors that include the organization's size and what they have already done to secure themselves," Evans says. Among the expenses a policy might cover are the cost of conducting an investigation into a breach, as well as notifying patients and offering them free credit monitoring.
"Plus, the increased popularity of purchasing cyber-insurance is making it more affordable," Evans notes. "Not having cyber-insurance can prove costly for organizations. But the organizations I know that have cyber-insurance tell me that it minimally helps them sleep better at night."
Read the Fine Print
Healthcare compliance attorney Betsy Hodge of Akerman LLP stresses that for those considering buying insurance coverage for breaches, "it's important to read the fine print in policies and ask what's covered." That includes asking whether the policy covers defense of breach-related lawsuits, and whether any damages awarded in a lawsuit "eats away" from the amount covered to pay for the legal defense of case.
"Some policies will cover government fines, but others won't," she notes. The Department of Health and Human Services' Office for Civil Rights since 2008 has signed 21 HIPAA resolution agreements that included financial payments of up to $4.8 million, plus one case that involved a $4.3 million civil monetary penalty, which is considered more punitive.
Fines and other breach resolution expenses can quickly add up, even for breaches that are smaller-scale than the huge incidents at Community Health Systems and Target.
For example, Blue Cross Blue Shield of Tennessee spent nearly $17 million on investigation, notification and protection efforts in the aftermath of a 2009 breach that affected 1 million individuals. In addition to those costs, the health insurer was smacked with a $1.5 million HIPAA settlement.
Cost of Breaches
Larry Ponemon, chairman of research firm Ponemon Institute, which conducts an annual study examining the cost of breaches, tells Information Security Media Group that healthcare organization can expect to pay direct costs of between $17 and $19 per record breached in a security incident. All those costs may, or may not, be covered by an cyber-insurance policy, as the Target case shows.
So for Community Health Systems, direct costs could potentially hit $76.5 million to $85.5 million. That includes such expenses as breach notification; administrative services, such as help desks for victims; credit monitoring; and forensics.
In addition, Ponemon says, healthcare organizations face an estimated potential cost of $10 to $12 per victim to cover other expenses, including litigation and other legal costs. In Community Health Systems' case, that would potentially add another $45 million to $54 million to the tab.
Paying out "a large chunk of cash like that could be fatal to some companies," Ponemon says. That's why cyber-insurance coverage is important, even if it only lessens the financial sting.
Already, at least one class action lawsuit has been filed in the wake of the hospital chain's breach.
Patient Information Exposed
Community Health Systems says a network data breach exposed 4.5 million individuals' personal information, including names, addresses, birthdates, telephone numbers and Social Security numbers for patients who, in the last five years, were referred for or received services from physicians affiliated with the hospital chain, according to its 8-K filing.
Because the breach of detailed personal information creates the risk of identity theft, Community Health Systems is offering affected individuals free ID theft protection services.
Mandiant, which is providing forensics services to the hospital chain, believes that an "advanced persistent threat group originating from China used highly sophisticated malware and technology to attack the company's systems," according to the filing. The hospital chain says the attack most likely occurred in April and June. Attackers used highly sophisticated malware to bypass security measures and successfully copy and transfer certain information out of the system, the hospital chain reports.
Some security experts have alleged that the Community Health System breach is the result of hackers taking advantage of the recent Heartbleed OpenSSL vulnerability (see Is Heartbleed Behind Healthcare Breach?).
Another potential cost facing Community Health Systems include potential financial penalties from federal regulators. Under the HIPAA Omnibus Rule, which went into effect last year, enforcement penalties can range up to $1.5 million per HIPAA violation.
On top of that, the hospital could also potentially face higher than average forensics costs because of the nature of the breach, Ponemon says. "The hacking attack seems to be targeted by the Chinese, and that's a bit unusual for healthcare, which could add to the forensics costs because it's more complex," he says.
Besides the direct monetary expenses of dealing with a breach, organizations face other costs as well. "The biggest damage is reputational," Ponemon says. That includes ill will from patients, who might take their business elsewhere, as well as other healthcare organizations, which might be reluctant to make referrals out of concern for patient privacy.
"Not covered by insurance generally is the lost business that occurs because of the damage to reputation as a result of a breach," Hodge says. "And that's hard to quantify."
Of course, the best way to avoid breach costs is taking adequate prevention steps.
"A serious security incident is a question of 'when'' not 'if,' for most organizations," Evans says. "This reality makes developing effective response plans a priority. Being prepared for incident response is likely to be one of the more cost-effective security measures any organization can take because a well-planned incident response program reduces the incident impact and costs."