Cost of Noncompliance

While some healthcare organizations do not think that becoming HIPAA compliant is worth the investment, failure to comply with HIPAA can come at a much higher cost. The cost of noncompliance can include an increased likelihood of breaches, reputational damage, and HIPAA violation fines. 

In addition, the cost of responding to breaches and remediating the vulnerabilities that caused the incident are much higher for noncompliant organizations, and data breach reputation damage can be detrimental to your business.

Cost of Noncompliance: Breach Detection, Mitigation, and Response

Each year, Ponemon Institute releases a report discussing the average cost of a data breach for the previous year. According to Ponemon, the average cost per lost or stolen record was $408, so even a relatively small breach that affected just 500 individuals could cost an organization $200,000. However, the average cost of a healthcare data breach in 2021 was much higher.

The 2021 cost of healthcare data breaches soared to an average of $9.3 million per incident –  a 29.5 percent increase over 2020’s average of $7.13 million. 

The likelihood of being breached as a healthcare organization is also shockingly high. On average, there are 600 cyberattacks a week that target healthcare organizations alone, which generally come at a higher cost per incident. Hacking incidents can be more costly for many reasons including the time it takes to detect the incident, remediation efforts, identity protection for affected patients, contracting a third-party cybersecurity firm, and recovering patient data.

Let’s Simplify Compliance

HIPAA and cybersecurity go hand-in-hand. Protect your business by becoming HIPAA compliant today!

Learn More!
HIPAA Seal of Compliance

Sending Patients Breach Notification Letters

In the healthcare industry, organizations must alert affected individuals via mail in the event of a data breach. Depending on how many individuals are affected by the incident, the cost of notification can be astronomical. 

In one such case, the American Medical Collection Agency (AMCA) experienced a large-scale breach in which they had to send 7 million individuals breach notification letters, costing the organization $3.8 million. 

Data Breach Response and Remediation

Many small-mid sized businesses don’t have dedicated IT personnel on staff. When an organization experiences a data breach, remediation efforts must be implemented to ensure that another breach doesn’t occur. An organization may need to hire IT experts to address security issues and close security gaps. AMCA, for instance, spent $400,000 to hire an outside IT firm to assist with breach response. 

Credit Monitoring and Identity Theft Protection

Under HIPAA, organizations that experience a data breach must offer affected individuals free credit monitoring and identity theft protection for two years. Credit monitoring can cost between $10 to $30 a month per individual, or $240 to $720 for two years of credit monitoring per person. 

Data Breach Reputation Damage

The negative impact on an organization’s reputation can be the most costly and often overlooked aspect of a data breach. Building a reputation can take years, but it only takes one incident to damage an organization’s reputation permanently. When an organization is breached, and that breach affects more than 500 individuals, the details of the incident are posted to the Office for Civil Rights wall of shame

According to Ponemon, the lost business cost of a data breach was nearly $1.6 million.

Lost business costs include: 

  • Business disruption and revenue losses from system downtime