A class action suit over one of the largest healthcare data breaches of 2020 will be settled for $3 million, under a proposal recently filed with the court. Dental Care Alliance, a manager of more than 300 dental practices, reported a breach of PHI, credit card and other data for 1.7 million patients and employees during a one-month cyber attack in late 2020. (No details were given on how the attackers gained access.)
The plaintiffs argued that Dental Care Alliance’s poor cybersecurity practices exposed them to risk of identity theft and fraud; the company denied the charges and replied that no evidence of misuse of the data could be found. See more details on the lawsuit.
In another case of claimed third-party risk, three ophthalmology practices are suing practice manager Eye Care Leaders over business interruptions caused – the plaintiffs claim – by multiple ransomware attacks that the vendor concealed. Details.
The two cases are windows into the high stakes cyber risk landscape for healthcare providers and payers, with sensitive data (sometimes in the hands of third-party vendors) and patient care at risk, all under the oversight of the federal government’s HHS Office of Civil Rights (OCR) watching – and fining – for violations of HIPAA.
RiskLens is the leader in software and services for the quantitative analysis of cyber risk in financial terms. Learn more about RiskLens.
Healthcare Industry Data Breach Count
In 2021, the healthcare industry was hit with 849 cyber incidents, 571 with confirmed data disclosure, according to the Verizon DBIR. That placed the industry at #8 for total incidents and #3 for data breaches of 21 industry categories surveyed in the DBIR.
The largest reported healthcare data breach of 2021 -- more than 3.5 million records stolen - was a ransom/extortion attack on the Accellion file transfer appliance used by many healthcare organizations.
Most Probable Cyber Risks by Incident Frequency and Loss for the Healthcare Providers and Payers
The RiskLens data science team estimates risk for companies in an industry category based on the cyber events history plus a wide range of parameters such as revenue, number of employees and number of database records.
In RiskLens modeling, healthcare shows relatively higher rates of breaches compared to other sectors, with a 9.3% overall mean annual event probability (second only to the public sector). However, it is understood that is driven at least in part by stronger data privacy policies enforced by the HHS OCR with required reporting for smaller incidents – see the so-called “wall of shame” related to HIPPA violations that begins at 500 individuals affected.
According to RiskLens data science, shown below is the likelihood that the common types of cyber loss events (from the Verizon DBIR) would occur and cost on an annual basis for a healthcare enterprise, based on industry averages. We pulled these numbers from the RiskLens My Cyber Risk Benchmark tool.
Enterprise Size and Security Posture Make a Difference in Healthcare Cyber Risk
We entered in the My Cyber Risk Benchmark tool the revenue, employee count and database records count that have been publicly reported for Dental Care Alliance, along with the SecurityScorecard grade incorporated in the Benchmark tool.
RiskLens modeling decomposes losses, so we can break out Fines and Judgements (F&J) specifically, including settlements. Those are probabilistic (they don’t always occur), but we can see the Dental Care Alliance settlement of $3 million is approximately the median of the full F&J amounts of Benchmark estimates for firms with similar characteristics.
Note that these Benchmark event probabilities are quite a bit lower than industry average, rated as C by SecurityScorecard. That’s thanks to their security posture, rated an A by SecurityScorecard.
As an example, a healthcare industry organization facing a Web Application Attack breach has annual probabilities of...
- A rating = 5.1%
- C rating = 9.7%
- F rating = 14.3%
The stats in this blog post were pulled from the RiskLens My Cyber Risk Benchmark tool, powered by RiskLens data science (with security ratings from Security Scorecard). See how your industry and your organization stack up – get a free trial of My Cyber Risk Benchmark.