Assessing The Financial Impact Of 4.5 Million Stolen Health Records

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.forbes.com/sites/danmunro/2014/08/24/assessing-the-financial-impact-of-4-5-million-stolen-health-records/

Less than a week ago, publicly traded Community Health Systems (CHS)
formally announced to the SEC what amounts to the second largest breach of
health records (4.5 million) in U.S. history. According to the filing, the
data was stolen between April and June of this year.

Whether or not it was a 90 day event as the company claims ‒ and whether or
not the breach was truly a sophisticated attack by an “advanced threat
group” from China ‒ has yet to be determined. That’s all part of the
forensic analysis and legal investigation now underway. Unlike other health
record breaches, however, this one is already in District court.

Within hours of the formal announcement to the SEC, the first putative
class action law suit was filed against CHS in the state of Alabama (here ‒
subscription required). That suit, which will likely be one of many on
behalf of 4.5 million patients, signals what will amount to millions of
dollars in cost that CHS will incur as the result of the data breach. As a
footnote, earlier this month, CHS settled a Department of Justice
investigation into billing practices for $98 million. Clearly this has not
been the best month for the 206 hospital system with over 31,000 beds in 29
states.

It’s also a leading indication of just how different this case will be
compared to a typical retail data breach. In a nutshell, unlike Target TGT
-0.11% (or UPS ‒ announced last Wednesday) health records are not credit or
debit cards. In the SEC filing ‒ CHS described the stolen data this way:

The Company has confirmed that this data did not include patient credit
card, medical or clinical information; the data is, however, considered
protected under the Health Insurance Portability and Accountability Act
(“HIPAA”) because it includes patient names, addresses, birthdates,
telephone numbers and social security numbers. Community Health Systems SEC
Form 8‒K filing

The fact that the data included social security numbers is a bombshell ‒
for technical, legal and financial liability reasons.

There are many differences between patient data (with and without the
clinical or medical component) and typical credit or debit card
information. Here are three.

Unlike credit card data ‒ which has built‒in mechanisms to protect
consumers against fraudulent use (usually everything over the first $50) ‒
health data has no such “built‒in” protection.
Social Security numbers are “the single most important piece of
government-issued identification an American citizen can have, and the most
valuable piece of ID cybercriminals can get their hands on” (from What to
do if your Social Security Number is Stolen).
Relative to health data, credit card “monitoring” is almost completely
useless because most of the companies offer no consumer protection against
the costs associated with identity theft. In fact, many organizations
intentionally mislead consumers by interchanging the words credit
monitoring and identity protection as if they were synonymous. They aren’t.

Those that do offer actual “identity theft” liability protection are a form
of actual insurance and tend to be far more expensive than credit
monitoring. CHS has indicated in their SEC filing that they will be
providing “identity theft protection” and that will affect their total cost
by a significant amount.

Given the nature of health data generally, there are at least five big
components to the cost of a large breach.

Remediation (technical, legal and administrative)
Fines associated with HIPAA violations (as determined by the Office of
Civil Rights ‒ under HHS)
Identity Theft Protection (or credit monitoring) for 4.5 million patients
Defending against both patient and shareholder lawsuits (and settlements)
The incalculable cost to the healthcare system for insurance fraud stemming
from 4.5 million Social Security numbers

While the first two are largely unknown (or have yet to be determined), we
do have some visibility into their potential cost. A little over two years
ago, BlueCross BlueShield of Tennessee (BCBST) estimated their cost at $17
million(for “corrective actions”) around a 2009 burglary that netted about
1 million patient records. The “tighter IT” and security remediation
accounted for about $7 million and the settlement with the Office of Civil
Rights (OCR under Health and Human Services) for HIPAA violations was $1.5
million.

That makes the per‒record cost relatively easy to calculate ‒ about $17.
Multiplied by 4.5 million equals about $77 million ‒ but that’s a simple
multiplication ‒ and BCBST didn’t have pesky patient or shareholder suits
to contend with.

The OCR fine to CHS could also be higher in this case because of both the
sheer size and the fact that it spans 29 states. The largest single OCR
fine to date was $4.8 million earlier this summer (Columbia and New York
Presbyterian). Even if the OCR doubles the Columbia/NYP fine ‒ it would
still be less than $10 million.

Actual “identity theft protection” (if that’s truly what CHS meant) will be
a significant component. In both cases, actual identity protection or
credit monitoring is largely a “good will” gesture and it’s entirely
“opt‒in.” Most people never sign up for credit monitoring when it is
offered. According to Linn Freedman, Leader of Nixon Peabody’s Privacy and
Data Protection Group, only about 10‒15% of people actually sign‒up for
credit card monitoring ‒ and most of the time, that protection has a
relatively short duration of one calendar year.

The retail cost of an identity protection service like LifeLock (with a $1
million identity theft policy underwritten by State National Insurance
Company) is about $110 per year. While the wholesale amount of that kind of
service would be significantly less, it won’t compare to the very low cost
of a basic credit monitoring service (about $12 ‒ $20 per consumer per
year). Assuming a 30% opt‒in rate (doubly generous by Linn’s observation),
the total amount for CHS to provide one year of coverage ranges from $20
million (simple monitoring) to over $74 million (actual protection with $1
million policy at wholesale rate of 50%).

Obviously if enrollment is higher in either program ‒ those figures could
double ‒ or triple.

Relative to any class actions suits, one possible hint is the Sony
PlayStation Network settlement for $15 million which was associated with
the loss of credit card data for 77 million PlayStation Network customers.
That’s still pending, but again, health data is vastly different than
credit card data and there are a lot of unknowns around a class action
health data breach at this scale (4.5 million patients across 29 states).

The OCR under HHS could also elect to be more aggressive. The Columbia/NYP
fine (for $4.8 million) was for a comparatively small breach (6,800
records) and the FTC has started to flex their powers in this arena (see
LabMD reference here).

For all these reasons ‒ and as pure speculation on my part ‒ I would peg
the full CHS cost component to be (conservatively) somewhere between $75
and $150 million.

Whatever these costs, CHS is not the biggest loser (or victim). This case ‒
like all healthcare data breaches ‒ is one that we all have a stake in
because of the incalculable cost to the healthcare system as a whole. The
fact is ‒ we all wind up paying for these data breaches. Here’s how.

The tendency on the part of many is to assume that Social Security numbers
in general have a high resale value among criminals. They don’t. What they
do have, however, is a range of fraudulent uses that are all very
lucrative. Assuming the breached Social Security numbers from CHS show up
at all (they may not for other reasons), the commodity value of a single
(or group) of numbers is very low. In this case ‒ about $10 for any
quantity up to 1,000.

One source I spoke to suggested that the cost of a “fullz” today is as low
as $1 ‒ possibly less.

One of the biggest fraudulent uses of stolen Social Security numbers is
medical insurance fraud ‒ both public (Medicare/Medicaid) and private. The
industry typically uses $80 billion as the standard “ estimate” of Medicare
and Medicaid fraud annually ‒ but it’s so rampant and diffuse that it’s a
vague number. We just don’t know with any precision.

Private insurance companies have a similar fraud number ‒ but they’re even
harder to track down because there are hundreds of private insurance
companies and they don’t advertise fraud related to claims processing.

In both cases ‒ public and private insurance ‒ as long as the healthcare
system can support ever increasing costs, the losses just get added to the
bill and we all pay in the form of higher healthcare premiums.

It wasn’t just CHS that got ripped off here. We all took a hit because
whatever the final amount for CHS directly ‒ $50, $100, $200 million (or
 more), those costs are trivial compared to the potential of having 4.5
million “fresh” social security numbers available for fraudulent use.

“If you play it right, you can make a lot of money quickly, stealing from
Medicare. You can walk into the United States, with limited English skills,
no knowledge of medicine, and — if you hook up with the right people, that
know how to play the system like a Stradivarius — you can become an
overnight millionaire.” James Quiggle, Nonprofit Coalition Against
Insurance Fraud ‒ A Medicare scam that just kept rolling ‒ Washington Post,
August 16, 2014

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!