Community Health Systems breach could cost up to $150 million

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://venturebeat.com/2014/08/25/community-health-systems-breach-could-cost-up-to-150-million/

Last week’s data breach at Community Health Systems, in which data from 5.4
million patients was lost, could end up costing the health system between
$75 million and $150 million, according to Forbes digital health columnist
Dan Munro.

The CHS hackers, now known as APT 18, used the computer bug Heartbleed to
access VPN log-in credentials, experts have told VentureBeat.

CHS said in a filing that no clinical data was taken in the theft but that
Social Security numbers (the holy grail for identity thieves) were lost,
along with an array of personal information that included patient names,
addresses and phone numbers.

All of that information is covered by HIPAA privacy laws. And this comes
just a few months after an attorney for the Office for Civil Rights (the
Health and Human Services office charged with monitoring HIPAA compliance)
said that the agency would be more aggressive this year about cracking down
on privacy violations.

A group in Alabama has already filed a class action lawsuit against CHS.
The Southern state is one of the 29 with CHS hospitals.

Fierce Health points out that the OCR has levied nine fines totaling more
than $10 million since June 1, 2013. That includes a record $4.8 million
fine announced in May against New York-Presbyterian Hospital and Columbia
University.

Munro bases his cost estimate of the CHS breach on the following factors:

Remediation (technical, legal and administrative)
OCR fines associated with HIPAA violations
Identity theft protection or credit monitoring for patients
Defending against both patient and shareholder lawsuits and settlements
The incalculable cost of potential insurance fraud stemming from 4.5
million exposed Social Security numbers

Two years ago, Blue Cross Blue Shield of Tennessee lost about a million
records and incurred losses of an estimated $17 million as a result.

Part of that was a $7 million bill for improved security systems. CHS,
security experts point out, used a lot of open-source or free security, and
it could have to invest millions to upgrade to more sophisticated systems.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!