By Jane Ehrhardt
In 2023, 41 percent of small businesses were victims of cyberattack, according to a report from the FBI’s Internet Crime Complaint Center’s report. “Statistically we would suspect at least that same percentage in healthcare,” said Ron Shoe, president of SIP Oasis.
Especially with patient data proving to be a lucrative commodity, whether ransomed or sold. “Medical records are worth a lot of money. On the dark web, you can buy a credit card for about $35 or so,” Shoe said. “A legitimate medical record costs $1,000.”
Healthcare system giants, like Change Healthcare and Ascension have already headlined the news this spring with massive breaches. “My fear is that the big breaches in the news feed the complacency of the small guys, because they think it’s not going to happen to them,” said Shoe, who recently released a book, From Exposed to Secure: The Cost of Cybersecurity and Compliance Inaction and the Best Way to Keep Your Company Safe.
“The small providers are getting screwed too,” he said. “They need to be compliant with HIPAA, not only to protect themselves from what can be extensive HIPAA fines and costs for protocols post-breach, but also from potential post-breach, class-action lawsuits.”
Ascension was facing two class-action lawsuits within a week after the cyberattack hit their 140-hospital system. One claim points to negligence in encrypting patient data, which has left patients at a greater risk of identity theft well into the future. Change’s six suits at last count even include pharmacies and providers suing for restitution from the lagging revenue in slowed insurance claim processing, even though the attack originated from third-party technology and other vendors.
Smaller practices have also proven to be targets for lawsuits. Norwood Clinic, now part of Complete Health, faced a class action lawsuit after their breach in 2022, claiming that it failed to protect patient information because they could have prevented the breach with reasonable cybersecurity measures. The clinic had 25 physicians on staff. They settled that lawsuit for $2.3 million.
This year, an even smaller practice is facing the same situation. The June 13 breach at Heart South Cardiovascular Group had lawyers circling within days, seeking clients whose information may have been breached. The practice, with offices in Alabaster and Clanton, employs 11 cardiologists. The source of the breach has yet to be divulged.
Practices aren’t the only targets for HIPAA breach suits. “They have one against an insurance company,” Shoe says. “Because HIPAA doesn’t apply to the entity, it applies to the data. The insurance company had medical records in their possession, which puts HIPAA into play. They had to report it, and as soon as it’s reported, the class-action lawyers are on it.
“This is where HIPAA becomes an ally. HIPAA really is a protective dome that goes over a medical practice and shields them both from the hackers, as well as from fines and class actions. Because nowhere does it say you’re not allowed to get breached.”
Compliance is not defined by the outcome—breach or not. Compliance requires that you be follow the process of assessing and identifying gaps and the remediation needed for those gaps, including some security measures and training.
The documentation of that compliance forms the armor. “If you’re doing it right, you’re building a paper trail of all the things you’re doing to protect your information,” Shoe said. “Even if you’re starting right now, just the fact that you’re going through the effort affords you some safe harbor from fines and lawsuits.”
HIPAA is about providing the documentation that proves the entity assesses risks, runs what it can when it can, and is planning to do more as resources allow. If something does happen, those reams of reports to give the auditors of assessments, remediations, training logs, and attestations, show an active and aware involvement toward protecting the data. “Because the fine is not based on getting breached,” Shoe said. “The fine is based on being negligent to the process. And the thing that chases away auditors is the same thing that chases away lawyers. It’s papers.
“A couple of years ago there was honor among thieves, and hackers were hands-off with healthcare, but it’s not like that anymore. In fact, they are specifically going after healthcare more than any other industry.”
Cyberattacks shot up 128 percent against the U.S. healthcare sector in 2023, according to the Cyberthreat Intelligence Information Center. Shoe’s company, SIP Oasis, blocks on average 50,000 login and email phishing attempts per month per client with an average client size of 15 to 200 computers. Meaning smaller practices are actively targeted. “If we’re blocking 50,000 breach attempts a month, and if you’re not blocking, you’re throwing the dice on every attempt,” Shoe said. ”And they’re going to get it right.”