It was recently uncovered that a healthcare administrative services and IT provider, CoPilot Provider Services, took more than a year to notify 220,000 customers affected by a data breach. The breach took place in October 2015, when a former employee downloaded names, birthdates, addresses, phone numbers, and medical insurance card details of the customers.
In February of 2016 CoPilot informed the FBI and investigations began, but customers were not notified of the attack until January 2017 causing CoPilot to violate the HIPAA Breach Notification Rule. Copilot claimed the lapse in communication was due to a delay in the FBI investigation. However, HIPAA breach notification rule states that covered entities must disclose a security threat to stakeholders such as patients, customers, the OCR and media within 60 days of discovery of the breach.
The FBI did not instruct the company to delay notification, as it would not have hindered the investigation process. CoPilot settled with the State of New York for $130,000 in penalties for this violation of business law and agreed to reform its notification and legal compliance program.
These types of compromises in security understandably affect the level of trust patients, customers and the media have in a service provider or healthcare organization. A post-WannaCry survey states that about 68% of US consumers contemplate leaving a healthcare organization that experienced a data breach. Another study revealed that 31% of customers would discontinue their affiliation with a company, such as a business associate or covered 0entity, that experienced a data breach, with 65% saying this type of event would cause a loss of trust.
A loss in consumer confidence as a result of a breach is exacerbated by any delay of notification to affected stakeholders, bringing more attention to the levels of expectation customers hold their healthcare providers to keep their information safe. This study also found that customers trust healthcare organizations the most when it comes to protecting their personal data. Service providers employed by healthcare organizations, therefore have a duty to protect patient records to the best of their abilities. It is also vital that these companies provide notice of a breach as quickly as possible following an attack in order to best manage the situation. It has also become common practice for organizations to provide patients free identity monitoring services to aid in recovery.
As technology related breaches continue to occur, C-suite and boards of directors are often not fully aware of the level of negative impact a breach can have on their company’s reputation or success. If a company responds quickly to a security breach, they are less likely to experience a negative financial impact, a decline in stock value, or a decrease in the number of clients.
Companies that have a poor security reputation and who do not respond promptly to an attack are more likely to see a decline in stock value that lasts much longer. They were also more likely to lose customers. A 2% loss rate in shares, which is considered low, costs a company roughly $2.67 million. Another study revealed the the share value of an organization dropped 5% following the disclosure of a breach compared to 90 days prior to an attack.
Along with keeping their internal communication compliant, healthcare organizations must be mindful to employ service providers that are aware of HIPAA rules and are up to date on the security features necessary to prevent breaches. Through internal policies, employee compliance trainings, and software and hardware security updates among many other factors, the additional reassurance of compliant associates and covered entities can help to better safeguard patients and organizations.