Health-Care Breaches Cost More Than Financial Services, Retail Lapses

Health-care data breach costs are substantially higher than expenses associated with any other data breach, according to a new study that reviewed cyberinsurance claim payouts over the past year.

Payouts associated with data breach expenses ranged from a minimum of $1,000 for smaller security incidents up to $13.7 million for a substantial breach involving data exposure, according to the 2014 Cyber Claims Study (.PDF) conducted by NetDiligence, a Gladwyne, Pa.-based firm that specializes in risk assessments and data breach services. NetDiligence analyzed 117 data breach insurance claims, 111 of which involved the exposure of sensitive personal data in a variety of business sectors.

The health-care industry is absorbing the highest costs associated with incident response and breach notification, establishing a legal defense, paying out regulatory fines and obtaining other crisis services. The average payout for public health-care information-related breaches was $1.3 million, 41 percent higher than payment card breaches and 66 percent higher than breaches exposing personally identifiable information, the study found.

[Related: 5 Pain Points: Health-Care Providers Should Do A Partner Security Checkup]

The health-care sector was also most frequently breached, making up 23 percent of the claims, followed closely by financial services and retail. Data breach costs typically underwritten by insurers pay for bringing in an outside forensics investigator, determining the scope and containing the breach, and notifying victims about the security incident, said Mark Greisiger, president of NetDiligence.

"These organizations are dealing with mounting crisis service costs, and they are all costs that they are bearing before they are even sued or face regulatory fines," Greisiger said in an interview with CRN. "If there is a breach in this sector, they are under pressure to comply with HIPAA and meet requirements of other state laws."

Insurers also underwrite the cost of hiring a legal team to address lawsuits, potential regulatory fines and other actions. State Attorneys General also are increasingly taking an aggressive approach to health-care breaches due to the privacy issues related to the lapses, Greisiger said.

The average cost paid out for crisis services was more than $366,000. Insurers also paid out about $700,000 on average for legal defense costs.

Clinics, dental offices and other small outpatient facilities often have limited resources and struggle to keep up with the evolution of HIPAA, said David Monahan, a security and risk management research director at Enterprise Management Associates. Larger organizations have to deal with more complexity and increased risks associated with business partner relationships, Monahan said.

"There's a lot of complexity involved and when a security incident happens the costs can quickly add up if the organizations involved aren't prepared," Monahan said.

Of the $62.3 million in total payouts, about half was spent on crisis services, 15 percent to mount a legal defense and 10 percent on legal settlements. The study found that 10 percent was spent on building a defense against regulatory action, 6 percent on actual regulatory fines and 11 percent for fines associated with the payment card industry.

NEXT: Breach Claims Illustrate Persistent Problems

The health-care industry has been an area of growth for solution providers as health-care providers look to increase their security posture. Organizations are making investments in security technology, such as data encryption, to prevent access to sensitive data, but often the biggest hurdles IT organizations face are doctors and other practitioners who don't want technology to slow down or restrict access to an patient's data during a health-care crisis when the information is essential in giving critical care, Monahan said.

Larger health-care organizations also have to deal with myriad proprietary systems designed to boost efficiency, but often create more complex IT environments, said Gus Chiarello, a regional sales manager at security solutions reseller and systems integrator The Hergavec Group. Chiarello said health-care organizations are investing in network monitoring, security information event management systems, and data loss prevention to prevent employee errors.

"Much of what health care does is business-process-driven with new technology being put in place and security a secondary factor," Chiarello said. "The security challenges that health-care organizations have aren't being addressed in the same way that the financial industry is addressing its issues and, unfortunately, that's left the doors open for criminal activity."

Some of the largest breaches in 2014 involved health-care providers. A data breach at Sutherland Healthcare Solutions, a medical billing and collections agency, impacted 338,700 California residents. Heartbleed, the OpenSSL bug that was in a Juniper Networks device at Community Health Systems Inc., was said to have led to a breach in August impacting as many as 4.5 million patients.

Meanwhile, according to the study, the average claim payout was $733,109. Hacking was the most frequent cause of data loss, making up 30 percent of the claims. Staff mistakes were indicated in 14 percent of the breach claims. About 20 percent of the breaches stemmed from a security lapse by a third-party business partner, Greisiger said. Merger-and-acquisition activity also causes configuration weaknesses and system management lapses that create avenues for hackers to target, he said.

Cybercriminals target health-care organizations because there's money to be made, say security experts. Much of the stolen patient data is sold or bartered on hacking forums, according to Dell-SecureWorks, which issued a study last year on the the underground market for stolen health-care data. The information feeds a market used to create fraudulent health insurance credentials. Unlike credit card data, stolen medical data and health insurance information retains its value because it lasts a long time, and much of the activity escapes detection or is written off by health-care providers, according to Dell-SecureWorks.

PUBLISHED DEC. 11, 2014