The hidden costs are all the things that put those businesses out of business. Data breaches within the healthcare industry do not stay under wraps. You are obligated to report a breach to the Department of Health and Human Services (DHS), which becomes public knowledge. If you’re a local practice or have local presence, be assured that people will start to talk about your security breach and be certain that some will lose complete patient trust within a subset of your patients.

First, there’s a technical investigation. These are expensive. Investigations on single computers can cost well over $30,000! Because IT forensics is such a specialized field with very few players and your insurance company requires a technical investigation, you likely will be paying more for an investigation than you would ever paying to have complete security compliance.

Another huge cost is related to the dramatic impact on your operational costs after a breach. Let’s say that you’ve lost access all of your electronic health records for 48 hours. Now let’s say it’s more like the company that contacted us about a year ago in October, that they had gone through three weeks of trying to get their records back.

Can you imagine how hard it would be to try and get their records back from referral data? They didn’t even have a good backup to help! Because their business lacked infrastructure and failed to tackle HIPAA guidelines, this practice was left without a computer system of about a month!

Next: Value of lost patients. When you notify people that you let their Social Security number, one thing is certain—you will lose patients.

But even more: you lose intellectual property! All that work that was lost from documenting and treatment plans and procedures. If you were to lose ALL of your recent diagnoses, recommended treatments—all of your records—of the past week, or even day, could you easily get by? There’s no wiping this under the rug. When your data is lost because someone hacked into your network and encrypted files that you don’t have backed up properly, there’s no escaping the need to get them back. See our recent discussion on backup recovery for more information.

If You Are Hacked, Hidden Costs WILL Add Up!

 We need to make sure that you’re educating people on our experience about it, so that when you go back and you talk about cyber security, when you talk about securing our protected health information, they understand the consequences.

And Let’s Be Clear: The Cloud Shouldn’t Be a Security Blanket!

So even the folks here that have your stuff from the cloud, you are still at risk because if somebody gets malware on it, individual machine that they’re using to access that data, they have access to the data …

The forensics company couldn’t do that. I was talking about some of the hidden costs. They looked at two machines. Does anybody want to guess how much that costs? Sixty thousand dollars!

Most of us have cyber insurance policies that are going to take care of some of this. But this is not part that they take care of. They’re working on the top of the iceberg. They’re not looking at the bottom—and let me assure you, this iceberg is pretty big!


Hidden Security Risk Iceberg. While most businesses identify a few in-plain-sight consequences to a breach, there are many cryptic or hidden costs that will certainly pop up if you are not careful.

Obvious Risks:

Customer Breach Notification— will your clients trust you anymore after a data breach? Shouldn’t your office be perceived as a sacred space of confidentiality?

Customer Breach Protection— if your patients’ data is exposed, you likely will spend hundreds to thousands PER patient to ensure that their identity is not compromised.

Regulatory Compliance—HIPAA has fines if a breach occurred (see the exact violations above, Uncle Sam needs his cut).

Public Relations— thinking about expanding your office? Likely a breach will cripple any planned growth. While your name might be all over the news, it likely won’t get more patients in your doors.

Attorney Fees—with confidential or sensitive data leaks, there is likely someone assuming pain and hardship. Any PHI data breach is fertile ground for expensive litigation and settlements.

Cybersecurity Investment—cybersecurity forensics analyses to understand the scope of the breach alone can cost you tens of thousands of dollars per machine infected. Your costs can skyrocket if your business insurance demands a forensics audit of your office.

Less Recognized Risks:

Loss of Intellectual Property—your medical records are intellectual property. Your diagnoses and notes to help diagnose patients easier may all be lost when a breach occurs. That may mean more hours invested in relearning the nature of your patient’s conditions.

Value of Lost Patients—don’t for a second think that every patient will have patience and understanding that things happen.

Impact of Operational Disruption—billing, accounting, sales. If your office is shut down, EVERYONE in it will be. No checks getting processed. No bills going out.

System Recreation—while you should have a disaster recovery plan to restore your systems, restorations take time (and money) to implement.

Increased Cost To Raise Debt—don’t think that creditors will treat you the same after a breach. You will likely have higher interest rates on debt as a result of a breach.

Insurance Premium Increases—if you make a claim (if your leak is large, you likely will), your safe driver discounts on insurance are probably out the window.

Just to give you an idea of how expensive a data breach may be, take a look at this invoice for cybersecurity forensics REQUIRED by a business’ insurance company after a CryptoWall attack:


Because there are only a handful of companies that perform cyber forensics as a service, AND these services are required if you have a data breach, you may be facing tens of thousands of dollars PER Workstation that was infected. Knowing that the latest viruses move and aim to touch ALL computers on your network, can you imagine costs incurred simply from a required forensic analysis of even a small business with 10 computers? You may be spending more money on one data breach than you make in one year!

Can anything else make things worse?

DHS has devoted more resources to HIPAA audits over the past few years and continues to increase the scope of their audits. Perhaps it’s in response to decreased governmental funds to the agency, or maybe it’s out of pure concern that patient data is secured, DHS has been increasing HIPAA audits since 2015 and increases are not expected to stop anytime soon!

What I also want to say is there’s another side, this whole – and that is audits, the government. One, in 2016, they basically started. They basically started the random auditing. That was the first time that we’ve actually seen a random auditing happen.


Figure 1. Projected HIPAA violations as a result of increased auditing initiatives by Health and Human Services (HHS) in 2016 and beyond.

The lowest amount is actually $50,000 for each violation. OK? So if they find a violation that’s $50,000 a piece, a violation can be very simple.

And don’t for a second think that just because you didn’t know about a vulnerability that DHS will give you a pass for a HIPAA infraction. Your fines will likely add up to hefty sums.

Bottom Line: Your costs from a data breach are enormously large. When considering whether to ‘opt in’ to HIPAA compliance and protecting your patient data from leaks and attacks, realize that by investing up front in shoring your network will mean avoiding long term—often financially painful—effects of a breach. Every single business that I’ve worked with cleaning their networks or de-crypting their ransomware initially thought none of this could happen to them. And when it did, they weren’t prepared.

Whether you’re concerned about audits from Uncle Sam or are deeply concerned about the growing costs associated with breaches, non-compliance will likely cost you one way or another.

Are you concerned about your HIPAA status? Are you sure your IT Support is keeping your data safe, or are you a sitting duck risking data breaches, HIPAA audits and patient trust? Contact us TODAY for a FREE HIPAA security assessment!