When you prepare for HIPAA compliance, you may not immediately think about the possibility of a data breach and the fines and penalties associated with it. It is understandable that some of you may have “a breach can’t happen to my company” attitude, but the increase in malware is threatening even the smallest companies. The cost of a real-world breach extends well beyond any dollar amount HHS OCR may dole out. What happens to a company’s reputation after a breach? The impact on your business is documented in studies by the Ponemon Institute, Delinea, IBM, Forbes, and Experian. According to the results of these studies, you need to be prepared on how to handle a breach. The steps you must follow is part of a well-executed HIPAA compliance plan.
What Do Studies Show?
It’s clear that data breaches have a financial impact on companies. A healthcare data breach costs a healthcare provider an average of $380 per record, more than 2.5 times the average amount for the 16 industries surveyed in the 2017 Ponemon Cost of Data Breach Study.1 Total HIPAA has written several blogs on the financial effects of a breach. But what are studies showing about reputation?
Ponemon Institute
In a 2017 study, The Impact of Data Breaches on Reputation & Share Value: A Study of U.S. Marketers, IT Practitioners and Consumers by the Ponemon Institute completed in conjunction with Delinea, looked at the negative outcomes of data breaches on share value and client’s attitudes.2
Lowered Share Value
The Ponemon Institute tracked the share value of 113 publicly traded companies for 30 days prior to a data breach and for 90 days following the breach. On average, share value dropped by 5% following the disclosure of a data breach.2
Loss of Customers
The study also showed that the loss of customers following a data breach is considerable. 31% of consumers said they had discontinued their relationships with a company after a data breach, while 65% said they lost trust in the organization after being affected by one or more breaches.2
How Can I Help Mitigate a Breach if One Occurs?
While studies do show that your reputation is at stake following a breach, there are steps you can take to help soften the blow. David C. Smith, a nationally recognized speaker who educates employers and agents, brokers and consultants on the impact of state and federal laws on the purchase and regulation of employer-based health benefits, provided Total HIPAA with suggestions on the actions to take if a breach happens.
His first tip isn’t everyone’s first reaction, which might be to hire an attorney. Smith instead suggests to initially “lock down the information that is out there and preserve the record.” By this, Smith is advising businesses to secure the information about the breach.
Second, reach out to the affected parties. Let them know that your company takes the responsibility of protecting PHI very seriously, that you’re going to figure out what caused the breach, and that you’re going to take appropriate action to protect that person. Apologize for how the breach has affected them. Keep the affected party as comfortable as possible with the situation so that they don’t spread fear among the others that experienced the breach or with the media.
Smith then suggests finding the right vendor to help guide you through the process at the lowest cost. Before calling, understand the scope of the breach, then try to find the most appropriate vendor. For example, a breach at a larger company might require the help of a public relations company, as well as the assistance of an attorney. The size of your company and the number of records breached will affect your decision to engage a public relations company and/or legal counsel.
HIPAA Compliance Plan
Regardless of how minor a breach, the financial loss and the loss of your reputation will always exceed the cost of proactively protecting your organization with a well-developed and properly implemented HIPAA compliance plan. Total HIPAA can help you achieve that goal. Please reach out to us for more information on how we can help you protect yourself. Remember, your reputation is your most important asset.
