Dive Brief:
- According to an estimate by Forbes analyst Dan Munro, the recent patient data breach at Community Health Systems could cost the hospital system between $75 million and $100 million. The hack exposed the HIPAA-protected data of 4.5 million patients in 29 different states.
- Munro's assessment of total cost to CHS includes: legal, technical and administrative remediation; Office of Civil Rights (OCR) fines stemming from HIPAA violations; identify theft protection and credit monitoring offered to impacted patients; and legal defense and resolution in patient and shareholder lawsuits.
- Munro notes that the greatest cost of the hack is likely to be to the system at large, since the data was likely stolen to be used for insurance fraud purposes. Whatever the cost to CHS is, Munro says, "those costs are trivial compared to the potential of having 4.5 million 'fresh' social security numbers available for fraudulent use."
Dive Insight:
Tough month for CHS. Don't forget the Tennessee-based hospital system and the Department of Justice announced earlier this month that CHS will pay $97M plus interest in settlement to the federal government to resolve allegations that CHS habitually admitted patients who should have been treated on an out-patient basis in order to bill Medicare at the higher inpatient rates. The settlement found "no improper conduct by Community Health Systems or its affiliated hospitals, and the Company has denied any wrongdoing," said CHS in a statement. The hospital chose to settle out of a desire to end the ongoing—and expensive—investigation by the DOJ, which began in 2011.
Meanwhile, the first class action suit against the system was filed mere hours after the news of the breach broke, and according to an attorney for OCR, the regulatory penalties handed down over the last 12 months will "pale in comparison" to the coming year's oversight. (Up until now, the largest OCR fine was a $4.8 million penalty to Columbia and New York Presbyterian this summer.) The fall-out from this breach is likely to be a very, very expensive and extensive process.
Want to read more? You might enjoy this story about CHS' $97M settlement in a recent whistleblower case or this story about 4 ways providers can avoid similar data breaches.