Resource:
Loss Scenario: Privacy Notification Expenses Cost a Pretty Penny
Learn the risks a health care organization loss scenario can present, and how Chubb can save you time, money and liability.
DESCRIPTION OF EVENT
Data files transferred from a physician group to a billing company contained the first initial and last names of 450 patients, their health care spending account numbers, and the dates of their last visit. The billing company posted these files on their public website in error for over a week. Both the physician group and the billing company became aware of the error when a patient alerted them that he had seen the information on the public website.
RESOLUTION
The billing company immediately removed the files from their website. The physician group contacted their attorney immediately to assess whether the release of this data constituted an actual “breach” under the law, and whether they were legally obligated to notify patients as a result. It was determined by their attorney that the event did qualify as a technical “breach” under federal law (HIPAA/HITECH) as well as the applicable state privacy law, such that the physician group was required to notify its patients by law. The physician group decided to offer the 450 affected patients both health record and credit monitoring services for a period of one year. The cost of notification services was $22,000, and the health record and credit monitoring services (with 20% of those notified accepting the services) amounted to approximately $25,000. The total breach response costs to the physician group, including legal and forensic costs, were over $96,000. Both the physician group and the billing company were subsequently assessed a HITECH fine/penalty of $150,000 each.
Could this happen to your organization? Contact your trusted Chubb agent or broker.
