The Alarming Financial and Reputational Costs of Healthcare Data Breaches Keep Rising

Healthcare is supposed to get us out of danger, not place us in harm’s way. The hard truth is that data breaches in the space are at historic levels, compromising tens of millions of healthcare records and potentially placing patients in serious financial peril.

“Over the past 12 months, from July 2021 to June 2022, 692 large healthcare data breaches have been reported and the records of 42,431,699 individuals have been exposed or impermissibly disclosed,” a study in HIPAA Journal found. “The past two months have seen data breaches reported at well over the 12-month average of 57.67 breaches a month.”

Discussing the impacts of data breaches and fraud in healthcare with PYMNTS, Experian Health Vice President, Adjacent Markets and Consumer Engagement Chris Wild said cybercrooks have plans for those stolen records, and it’s as bad as we think.

“There are lots of reasons why you might want someone’s records,” he said. “Many of them have to do with some of the social engineering aspects, but there’s a lot that you can do with medical fraud.”

Considering that in 2022 there are an estimated 32 million HSAs containing more than $100 billion in the U.S. it’s a rich target for bad actors, a nightmare for victims, and a costly hit to providers. The average financial impact in fines and related costs for healthcare companies that get breached can run as high as $10 million.

“Those are the financial costs, but I would say by and large the biggest cost is the reputational impact,” he said. “Think about healthcare today. It’s more consumerized than ever before.”

That means healthcare is more shoppable than ever before, and the patient is now thinking more like a paying customer. For healthcare providers that fail to treat data security as mission-critical, they’ll not only pay the fines, but they’re more likely now to also lose the relationship.

See also: Healthcare Payments Get Patient-Centered Overhaul in 2022

Tech vs Tech

Confronted with the scale and sophistication of data breaches, the healthcare industry in the aggregate knows it must secure its data but doesn’t always know where to start. Looking at it from a patient experience perspective is one way to understand the whole problem.

“It used to be the gold standard was asking a bunch of questions that presumably only [the patient] knows,” Wild said. “What street did you live on five years ago and which of these people did you did you live with? We’re finding that’s starting to be a little bit passé now, and there’s a lot more that goes into identifying who somebody is.”

Noting that healthcare has a unique balancing act to pull off between security and access, he said companies like Experian Health are getting more aggressive on the identity front.

Leveraging device IDs is one way. “When you have your cell phone or your tablet or your laptop, or your computer, or even your voice assistant devices, they all have a device ID. We keep track of those and see which ones are being naughty, which ones are being nice,” he said.

“We can start to ramp up when we see a naughty device acting naughty. But also think about things like document verification, validating that a driver’s license being shown to a registrar is actually a real driver’s license, or things of that nature.”

It’s another use case where digital tech and data are making healthcare records more secure without impinging on consumer healthcare journeys that are fraught enough. Biometrics are fast becoming a critical component for authentication.

See also: Florida’s Broward Health Hit by Data Breach of 1.3M Patients’ Records

Data Security Is Everyone’s Job

Wild said, “One of the challenges that we’ve had historically is just identifying that something has happened. It takes almost two-thirds of a year just to discover that something happened. Think about all the things that could have happened with that data in that period of time.”

Like everything else, the pandemic accelerated online access via patient portals and text-based communications with healthcare providers. Reciting all the hoops healthcare jumped through in the first years of COVID as telehealth took over the doctor visit, [Wild said] the industry is in a different place today, although still far from finished when it comes to securing patient data.

“Looking at all of those sorts of [COVID] factors, it really accelerated adoption [of digital health access solutions],” he said. “Now it’s becoming more prevalent that the conversations we have are less about the operational savings and more about the security savings, because we’re seeing just those volumes escalate in a hockey stick parabolic kind of [way].”

However, increasing access for the patient means more points of egress for the cybercrook, which is why Wild said organizations are partnering with data experts on locking it down.

“For a healthcare data breach or any sort of misappropriation of patient-member data, you want to make sure you’re keeping things safe, keeping things secure and making sure all the associated people know what to do,” he said. “In today’s world, that’s not just IT.”