Getting Back on Track: How to Recover from the Financial Impact of a HIPAA Breach

VITALII VODOLAZSKYI / STOCK.ADOBE.COM

HIPAA violations are the specter that haunt every dental practice. Forever looming overhead, HIPAA infractions hurt everyone. Most importantly, they hurt the patients and the practice, but perhaps most dramatically, they hurt the practice’s bottom line.

With recent increases in ransomware attacks and data breaches, practices should be more proactive in their preventive tactics to avoid experiencing a breach. In 2022, there were 707 health care data breaches affecting more than 500 patient records—the second-worst year ever in terms of reported breaches, trailing closely behind the high of 715 in 2021.¹ These breaches were accompanied by rigorous notification requirements, fines, and penalties, ranging from a few hundred to several million dollars.

HIPAA Violation Penalties

These violation fines can have a huge financial impact on a dental practice. HIPAA violation penalties are issued by the US Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general. Violations are classified as either criminal or civil, with 4 tiers of civil penalties defined by the level of practice culpability.²

In tier 1, practices have no knowledge of the HIPAA violation, even if they have exercised due diligence. Essentially, the practice has little to no culpability, but the breach has still happened.

“This is the scary one, the first level, which usually totals $10,000 to $50,000 per incident,” Lorne Lavine, DMD, president of The Digital Dentist, says. “They define level 1 as not only that you didn’t know about it but that you couldn’t or shouldn’t have known about it. They’ll say you probably didn’t know that this was even a vulnerability, but they’re still going to nail you.”

Tier 2 is defined as reasonable cause, where there is a reasonable expectation that a practice should know about the violation if they have exercised due diligence. Tier 3 enters the realm of willful neglect of HIPAA regulations, but the violation is corrected within 30 days of discovery. Tier 4 is also defined as willful neglect, but no effort is made to correct the issue within 30 days.

“The worst level is willful neglect,” Dr Lavine says. “HIPAA says you have to do a regular risk evaluation and resolve any issues that are discovered during that evaluation. With willful neglect, they have to establish the fact that you knew you were not in compliance after you’ve followed the HIPAA regulations and done a regular risk assessment.”

When a risk assessment is completed, it generates a version of a treatment plan known as the HIPAA management plan. In the event of a potential violation, the risk assessment and management plan will be brought into play.

“If you haven’t lifted a finger to address any of the issues that were found during that risk assessment or that are on that plan, by definition, that’s willful neglect,” Dr Lavine explains. “And that’s when you start to see some of these multimillion-dollar settlements and fines and penalties. They don’t typically mess around if they have evidence that you knew you [were] at risk and purposely decided not to address those risks.”

The fees issued by the OCR can be incredibly high, depending on the severity of the breach, the amount of negligence involved, and the volume of patient information that was compromised. Factors such as the number of individuals affected, whether the breach caused harm to patients or inhibited their access to future health care, the practice’s compliance history, and the dental practice’s size all come into play when fines are determined. These mitigating factors can result in a higher or lower penalty.

“A HIPAA breach can be life changing, career ending—any description you want to put in there,” Dr Lavine says. “You could lose all your data and at the same time be hit with millions of dollars in fines and penalties. There aren’t too many practices out there that would be able to survive something like that.”

True Cost of a Breach

Unfortunately, numerous organizations have learned the hard way just how steep these penalties can be. In 2019, the University of Rochester Medical Center in New York was penalized with a $3 million fine after the loss of a laptop that didn’t have any encryption.³ In 2020, a nonprofit health system based in Rhode Island paid the OCR $1,040,000 to settle their own HIPAA violation after an unencrypted laptop was stolen.⁴ Premera Blue Cross faced a $6.85 million fine in 2020 for risk assessment and risk management failure after a data breach that affected more than 10.4 million individuals.⁵ And the list goes on.

It may be easy to write off these risks as issues faced by large medical organizations or insurance companies, but dental practices aren’t immune from HIPAA violations. In 2022, there were 22 announced HIPAA enforcement action resolutions, 8 of which were for dental practices.⁶ The practices faced combined fines totaling more than $200,000—and that only included penalties levied by the OCR, not civil lawsuits related to the breaches.⁷

Payments to the OCR aside, civil lawsuits can be even more devastating. In some states, patients can file a lawsuit against a HIPAA-covered entity (such as a dental practice) if it can be proven that the practice was negligent.

“If you’ve [experienced] a breach, one of the requirements by HIPAA law is that if you have more than 500 patient records, which almost every practice does, you have to send a letter to every one of those patients informing them of the breach and that their information might have been compromised,” Dr Lavine says. “Once that letter goes out, you’re getting sued. Someone is going to sue you, and probably a lot more than 1 [person]. At that point, you’re looking at fines, you’re looking at the government settlements, and you’re looking at the results of the lawsuits.”

In one case, a medical center in Montana was the victim of a cyberattack in 2021, in which hackers had access to their systems for at least 4 days. Protected health information of more than 213,500 individuals (including names, dates of birth, medical record numbers, contact information, insurance claim and health insurance information, dates of service, etc) were accessed by the hackers. A lawsuit was filed, and the ensuing settlement granted affected parties up to $25,000 each, a number that adds up to astronomical fees when the number of patients affected is considered. In the end, the health group ended up paying more than $4.3 million in the settlement.⁸

The weight of these fines, settlements, and lawsuits are compounded further by the cost of downtime experienced by a practice in the wake of a breach as well as the price of ransom in the event of a ransomware attack. “The average loss due to downtime of a breach is 3 to 7 days, depending on what sort of backup you place,” Dr Lavine says. “It’s an average loss of [approximately] $65,000 just for that. And then you must consider that in a lot of cases, you still have to pay the ransom, so that has to be factored in as well. When all is said and done—downtime, ransom, fines, penalties, settlements—it would be rare to see someone get off with anything that’s less than 6 figures and potentially 7 figures.”

How Breaches Happen

Although these situations seem like unbelievable horror stories, experiencing a breach can happen to any practice. In many of these cases, the breach happens in the most everyday and innocent of circumstances, such as a routine check of email.

“The number 1 way [that] breaches occur is through email,” Dr Lavine says. “Maybe it looks like it comes from a colleague, and you click on a link, and then it’s game over; the malware has been introduced into your system.”

Breaches can also happen because of security holes in your software, such as your operating system. For example, every few years, Microsoft will end support for one of its operating systems. In 2014, it was Windows XP, whereas support for security updates and fixes for Windows 7 ended in January 2020.⁹ When support is ended, security patches are no longer applied.

“Patches are critical because every software has security holes in it, and it constantly needs to be patched,” Dr Lavine says. “A lot of people don’t know that there’s a HIPAA requirement called patch management; you have to be patching your software under HIPAA law. Whenever Microsoft stops patching software, offices that are still using that operating system are no longer HIPAA compliant.”

Once patch support has ended on a platform or program, a practice is left with unsecured software in violation of HIPAA requirements. For programs that are still receiving patching, some programs, such as Windows, allow practices to set up on Microsoft’s automatic patching schedule. Although this seems like an easy solution to patching challenges, it can have its own problems.

“I don’t typically recommend using the automatic patching, because you have no control over when the patches are applied,” Dr Lavine says. “It could be in the middle of the day, and you have no say on that. Plus, a lot of times the patches from Microsoft also have security holes in them or cause problems, so you have no control over when that patch is applied.”

To avoid this, Dr Lavine suggests employing a managed service provider to control the patching. A provider decides which patches are applied, when they’re applied, and how they’re applied.

“This is not something that most dental offices are typically qualified or have the time or desire to do,” Dr Lavine says. “We always recommend that an office work with an IT [information technology] company that specializes in health care, because between HIPAA and protecting all your assets, you’re best served by working with somebody who knows what they’re doing and can make sure you don’t suffer that career-ending event.”

Recovery Steps

Unfortunately, even the most tech savvy of practices aren’t immune from a breach. If the worst does happen, there are a couple of steps that practices should take immediately to mitigate the consequences.

“If you’re smart, you’ve got insurance,” Dr Lavine says. “And at the point of the violation, the insurance company can take over. So, if you have an insurance company, call them immediately. That should always be your first call.”

Your second call, Dr Lavine says, should be to the practice’s IT company (or whoever is handling the practice IT). Affected devices should be brought offline immediately to prevent issues from growing.

“You have to get that virus out of there first,” Dr Lavine says. “Like with any disease, you’ve got to remove the disease before you start the recovery. And that’s the most time-consuming thing, but you’ve got to do it. We have to use forensic techniques to figure out where the virus got in and what computers have been hit by this. You have to spend time getting rid of the virus, recovering, and getting your data back.”

Once you’re assured of that, the practice should deal with the insurance company to figure out the legal obligations related to the breach. HIPAA’s breach notification rule requires practices to provide notifications to various parties in the wake of a breach, including affected patients, the OCR, and, in cases affecting more than 500 patients in a state or jurisdiction, the media.10 Practices should also consult state rules and regulations and check with the state dental board to see whether there are additional steps they need to address.

“Starting the recovery is a multiday process,” Dr Lavine says. “It’s a multifaceted task involving multiple people, so you’ll have a lot of hands on that cookie jar trying to get you back to where you need to be. It’s not typically something that an office can do on its own, which is why it’s important to have professional support and advisers to help you.”

Although it may take a few days to get a practice back up and running, practices shouldn’t expect that to be the end of the story. Depending on how many patient files were affected, what steps need to be taken, how many data were lost, or how soon the breach was caught, Dr Lavine says practices can expect it to take half a year or more to get back on their feet. “In our experience, 6 to 18 months is fairly standard,” he says. “It depends on how many data were lost; if there’s minimal damage, that’s going to be a different story than if you lost the data permanently. [If] you had to pay hundreds of thousands [of dollars] in fines, penalties, and ransom to get to that point, it will be like starting the practice over again.”

Practices will also be facing the task of managing patient relationships after a breach. This becomes a challenging undertaking if the practice is unable to recover their data in a ransomware attack. Without that information, practices won’t have their schedule, the patient’s payment information, insurance details, or even the patients’ histories and files.

“In this case, you’re going to lose a significant portion of those patients,” Dr Lavine says. “If they come in and you say, ‘Look, we lost your data; we’d like to start over with x-rays and charting and get all your information again,’ it’s not going to be a pleasant conversation.”

But although it may feel like starting over, that doesn’t mean it’s a dead end, just a step back. By taking proactive steps, practices can mitigate the effects of a breach by working with insurance companies, IT support providers, and financial advisers. Although it’s a long road to recovery, practices can recover.

Playing It Smart

The bottom line is that the best way to recover from the financial impact of a HIPAA violation is to prevent it from happening in the first place. “There’s [an] old adage: An ounce of prevention is worth a pound of cure,” Dr Lavine says. “In this case, it’s an ounce of prevention is worth 10 tons. It doesn’t take much in the way of prevention, but it is easier to never [experience] a breach than it is to deal with the aftermath of one.”

When it comes to prevention, there are 3 primary steps to prevent a breach. First, make sure nothing can get into the practice’s network. Second, if something does get in, deal with it immediately. And third, be able to recover your information if all else fails. To prevent ransomware or cyberattacks from entering a practice’s system in the first place, Dr Lavine recommends implementing application whitelisting. Application whitelisting allows practices to tell the system which programs are allowed to run on the network and prohibits any other programs from running. Because malware and viruses are small programs, if the system doesn’t see them on the white list, they won’t be able to run.

“In the 2.5 years that we’ve been using application whitelisting for our clients, we have yet to see a single virus infection,” Dr Lavine says. “We would not have been able to say that before this.”

Most practices already have a large amount of overhead, and spending $2000 a year on application whitelisting, firewalls, and antimalware software may seem like an unnecessary addition to that burden. However, practices should approach these costs as they approach car insurance: You may never need it, but the time you do, you’re going to be unbelievably glad you have it.

“You’re going to spend money every year on firewall updates, application whitelisting, and malware and never think that you’re seeing a return on investment,” Dr Lavine says. “Until the one time that you get hit with an attempted breach and your antivirus software tells you that it blocked a program or the application whitelisting stopped a program from running, and you realize if it had gotten through, it would be worst-case scenario. Hopefully, you never have to think about these tools, but they’re there, and you’ll be really glad they are if the occasion arises.”

If all else fails and something breaches your security, it’s critical for practices to have a solid encrypted backup locally and offsite that data can be recovered from. This ensures a practice will still have access to patient files and data in the event that ransomware holds the practice’s files hostage. With access to files, a practice doesn’t have to start completely at ground zero after the breach.

In addition to data backups, having breach insurance or some type of cyber liability coverage will help immensely in the recovery process. With insurance, the practice will not have to pay all the fines and settlements out of pocket (which, if a practice did have to do, could easily end in bankruptcy). By being proactive and getting these contingency plans in place before they are ever needed, practices can lay the groundwork for a recovery that they will hopefully never have to make.

“Practices do recover from this,” Dr Lavine says. “But it’s certainly a long road back. When you consider that you can protect yourself with a relatively minimal investment of money, time, and energy, it’s hard not to justify taking at least some rudimentary steps to make sure that it never happens to you.”

References

1. Alder S. 2022 Healthcare data breach report. HIPAA Journal. January 24, 2023. Accessed June 14, 2023. https://www.hipaajournal.com/2022-healthcare-data-breach-report/

2. What are the penalties for violating HIPAA? American Dental Association. Accessed June 14, 2023. https://www.ada.org/en/resources/practice/legal-and-regulatory/hipaa/penalties-for-violating-hipaa

3. Failure to encrypt mobile devices leads to $3 million HIPAA settlement. US Department of Health & Human Services. November 5, 2019. Accessed June 12, 2023. https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/urmc/index.html

4. Lifespan pays $1,040,000 to OCR to settle unencrypted stolen laptop breach. US Department of Health & Human Services. July 27, 2020. Accessed June 11, 2023. https://www.hhs.gov/guidance/document/lifespan-pays-1040000-ocr-settle-unencrypted-stolen-laptop-breach#:~:text=Lifespan%20Health%20System%20Affiliated%20Covered,settle%20potential%20violations%20of%20the

5. Health insurer pays $6.85 million to settle data breach affecting over 10.4 million people. US Department of Health & Human Services. September 25, 2020. Accessed June 14, 2023. https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/premera/index.html

6. Castricone DM. HIPAA enforcement in 2022: the year of the dentist. DMC Law, LLC. January 24, 2023. Accessed June 14, 2023. https://dmclawllc.com/2023/01/24/hipaa-enforcement-in-2022-the-year-of-the-dentist/

7. HIPAA violation fines. HIPAA Journal. June 6, 2023. Accessed June 11, 2023. https://www.hipaajournal.com/hipaa-violation-fines/

8. Alder S. Logan Health proposes $4.3 million settlement to resolve class action data breach lawsuit. HIPAA Journal. January 25, 2023. Accessed June 14, 2023. https://www.hipaajournal.com/logan-health-proposes-4-3-million-settlement-to-resolve-class-action-data-breach-lawsuit/

9. Windows 7 support ended on January 14, 2020. Microsoft. Accessed June 14, 2023. https://support.microsoft.com/en-us/windows/windows-7-support-ended-on-january-14-2020-b75d4580-2cc7-895a-2c9c-1466d9a53962

10. Breach notification rule. US Department of Health & Human Services. July 26, 2013. Accessed June 13, 2023. https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html