Less than a week ago, publicly traded Community Health Systems (CHS) formally announced to the SEC what amounts to the second largest breach of health records (4.5 million) in U.S. history. According to the filing, the data was stolen between April and June of this year.
Whether or not it was a 90 day event as the company claims ‒ and whether or not the breach was truly a sophisticated attack by an "advanced threat group" from China ‒ has yet to be determined. That's all part of the forensic analysis and legal investigation now underway. Unlike other health record breaches, however, this one is already in District court.
Within hours of the formal announcement to the SEC, the first putative class action law suit was filed against CHS in the state of Alabama (here ‒ subscription required). That suit, which will likely be one of many on behalf of 4.5 million patients, signals what will amount to millions of dollars in cost that CHS will incur as the result of the data breach. As a footnote, earlier this month, CHS settled a Department of Justice investigation into billing practices for $98 million. Clearly this has not been the best month for the 206 hospital system with over 31,000 beds in 29 states.
It's also a leading indication of just how different this case will be compared to a typical retail data breach. In a nutshell, unlike
The Company has confirmed that this data did not include patient credit card, medical or clinical information; the data is, however, considered protected under the Health Insurance Portability and Accountability Act (“HIPAA”) because it includes patient names, addresses, birthdates, telephone numbers and social security numbers. Community Health Systems SEC Form 8‒K filing
The fact that the data included social security numbers is a bombshell ‒ for technical, legal and financial liability reasons.
There are many differences between patient data (with and without the clinical or medical component) and typical credit or debit card information. Here are three.
- Unlike credit card data ‒ which has built‒in mechanisms to protect consumers against fraudulent use (usually everything over the first $50) ‒ health data has no such "built‒in" protection.
- Social Security numbers are "the single most important piece of government-issued identification an American citizen can have, and the most valuable piece of ID cybercriminals can get their hands on" (from What to do if your Social Security Number is Stolen).
- Relative to health data, credit card "monitoring" is almost completely useless because most of the companies offer no consumer protection against the costs associated with identity theft. In fact, many organizations intentionally mislead consumers by interchanging the words credit monitoring and identity protection as if they were synonymous. They aren't.
Those that do offer actual "identity theft" liability protection are a form of actual insurance and tend to be far more expensive than credit monitoring. CHS has indicated in their SEC filing that they will be providing "identity theft protection" and that will affect their total cost by a significant amount.
Given the nature of health data generally, there are at least five big components to the cost of a large breach.
- Remediation (technical, legal and administrative)
- Fines associated with HIPAA violations (as determined by the Office of Civil Rights ‒ under HHS)
- Identity Theft Protection (or credit monitoring) for 4.5 million patients
- Defending against both patient and shareholder lawsuits (and settlements)
- The incalculable cost to the healthcare system for insurance fraud stemming from 4.5 million Social Security numbers
While the first two are largely unknown (or have yet to be determined), we do have some visibility into their potential cost. A little over two years ago, BlueCross BlueShield of Tennessee (BCBST) estimated their cost at $17 million (for "corrective actions") around a 2009 burglary that netted about 1 million patient records. The "tighter IT" and security remediation accounted for about $7 million and the settlement with the Office of Civil Rights (OCR under Health and Human Services) for HIPAA violations was $1.5 million.
That makes the per‒record cost relatively easy to calculate ‒ about $17. Multiplied by 4.5 million equals about $77 million ‒ but that's a simple multiplication ‒ and BCBST didn't have pesky patient or shareholder suits to contend with.
The OCR fine to CHS could also be higher in this case because of both the sheer size and the fact that it spans 29 states. The largest single OCR fine to date was $4.8 million earlier this summer (Columbia and New York Presbyterian). Even if the OCR doubles the Columbia/NYP fine ‒ it would still be less than $10 million.
Actual "identity theft protection" (if that's truly what CHS meant) will be a significant component. In both cases, actual identity protection or credit monitoring is largely a "good will" gesture and it's entirely "opt‒in." Most people never sign up for credit monitoring when it is offered. According to Linn Freedman, Leader of Nixon Peabody's Privacy and Data Protection Group, only about 10‒15% of people actually sign‒up for credit card monitoring ‒ and most of the time, that protection has a relatively short duration of one calendar year.
The retail cost of an identity protection service like LifeLock (with a $1 million identity theft policy underwritten by State National Insurance Company) is about $110 per year. While the wholesale amount of that kind of service would be significantly less, it won't compare to the very low cost of a basic credit monitoring service (about $12 ‒ $20 per consumer per year). Assuming a 30% opt‒in rate (doubly generous by Linn's observation), the total amount for CHS to provide one year of coverage ranges from $20 million (simple monitoring) to over $74 million (actual protection with $1 million policy at wholesale rate of 50%).
Obviously if enrollment is higher in either program ‒ those figures could double ‒ or triple.
Relative to any class actions suits, one possible hint is the
The OCR under HHS could also elect to be more aggressive. The Columbia/NYP fine (for $4.8 million) was for a comparatively small breach (6,800 records) and the FTC has started to flex their powers in this arena (see LabMD reference here).
For all these reasons ‒ and as pure speculation on my part ‒ I would peg the full CHS cost component to be (conservatively) somewhere between $75 and $150 million.
Whatever these costs, CHS is not the biggest loser (or victim). This case ‒ like all healthcare data breaches ‒ is one that we all have a stake in because of the incalculable cost to the healthcare system as a whole. The fact is ‒ we all wind up paying for these data breaches. Here's how.
The tendency on the part of many is to assume that Social Security numbers in general have a high resale value among criminals. They don't. What they do have, however, is a range of fraudulent uses that are all very lucrative. Assuming the breached Social Security numbers from CHS show up at all (they may not for other reasons), the commodity value of a single (or group) of numbers is very low. In this case ‒ about $10 for any quantity up to 1,000.
One source I spoke to suggested that the cost of a "fullz" today is as low as $1 ‒ possibly less.
One of the biggest fraudulent uses of stolen Social Security numbers is medical insurance fraud ‒ both public (Medicare/Medicaid) and private. The industry typically uses $80 billion as the standard "estimate" of Medicare and Medicaid fraud annually ‒ but it's so rampant and diffuse that it's a vague number. We just don't know with any precision.
Private insurance companies have a similar fraud number ‒ but they're even harder to track down because there are hundreds of private insurance companies and they don't advertise fraud related to claims processing.
In both cases ‒ public and private insurance ‒ as long as the healthcare system can support ever increasing costs, the losses just get added to the bill and we all pay in the form of higher healthcare premiums.
It wasn't just CHS that got ripped off here. We all took a hit because whatever the final amount for CHS directly ‒ $50, $100, $200 million (or more), those costs are trivial compared to the potential of having 4.5 million "fresh" social security numbers available for fraudulent use.
“If you play it right, you can make a lot of money quickly, stealing from Medicare. You can walk into the United States, with limited English skills, no knowledge of medicine, and — if you hook up with the right people, that know how to play the system like a Stradivarius — you can become an overnight millionaire.” James Quiggle, Nonprofit Coalition Against Insurance Fraud ‒ A Medicare scam that just kept rolling ‒ Washington Post, August 16, 2014
