As covered in our blog last week, Advocate Health Care, a large Chicago-based health system, reported a data breach at one of its subsidiaries in which the theft of four laptops led to over four million compromised patient records. This event marks the second largest healthcare data breach in history, and, to put this into perspective, alone accounted for over 17% of the total number of patient records breached as reported to HHS since it started keeping track in 2009.
However, what made the event particularly noteworthy was that Advocate had gone down this road before with a 2009 data breach with a mostly mirrored fact pattern. Despite previous mandates from OCR/HHS to encrypt all portable devices, Advocate neglected to do so. The result? A class action lawsuit that likely will break all data breach records.
My colleague (and self-professed Game of Thrones lover) summed it up the best, “brace yourself: a staggering settlement is coming.” The lawsuit filed last week neglected to disclose some damages that the class is willing to seek, but if we look at some recent data breach class actions, we can very quickly see that an astronomical figure is possible here. For instance, in a lawsuit stemming from a 2009 action involving Stanford Hospital & Clinics, a class representative alleged $20 million in damages for 20,000 exposed patient files. This $1,000/per patient figure is not out of left field – lawsuits across the country in these sorts of actions frequently demand damages in the high three figures range per patient.
So, yes, the Advocate data breach could easily break the $1 billion mark via settlement, a number that would reach tobacco company settlement range. This event exemplifies that unfathomable risk that covered entities face in the digital health age. Unfortunately, few providers realize these dangers until it’s too late. As we’ve argued in this column many times, the best risk management strategy starts with a risk assessment. Discover where your patients’ PHI is going, and make sure you’re doing everything in your power to minimize the biggest risks. If you do this, you’re one significant step ahead of the average provider and a few steps farther away from being the next facility to let millions of records of PHI walk out your front door.
With over two decades of technology entrepreneurship background, Krishna Kurapati started QliqSOFT with the strong desire to solve clinical collaboration and workflow challenges in US Healthcare. During the late 90s, Krishna co-founded IPCell to build the first Cable IP Telephony switch, eventually selling the company to Cisco Systems. In 2003, he started Sipera (acquired by Avaya Systems) to solve security issues for Unified Communications' and raised over $30MM in venture funding. Additionally, he has been actively involved in the early-stage financing of startups in both the US and India.
Engaging Patients and Connecting Care Teams Through Interactive Digital ConversationsLearn More
Prior to the pandemic, telehealth visits ─ delivering patient-provider visits virtually ─ was an afterthought in the care continuum — ill-regarded and little-used beyond patients in rural areas who had few care choices. Virtual visits comprised less than 1% of all outpatient visits. Private insurers generally follow guidelines from the Centers for Medicare & Medicaid Services (CMS), which allowed telehealth in only limited circumstances and paid at 30% below in-office reimbursement rates.