Earlier this year, Jackson Memorial Hospital fired two employees for inappropriately accessing Giants defensive end Jason Pierre-Paul’s medical records. The two employees sold the information in the VIP’s record to ESPN’s Adam Schefter. Schefter, who has 5.19 million Twitter followers, tweeted the records while Pierre-Paul had surgery on his right index finger. Pierre-Paul sued ESPN and the NFL for violating his privacy under HIPAA, and in August, a judge ruled that Pierre-Paul could move forward with his lawsuit. This summer, the major-party U.S. Presidential candidates are facing scrutiny over their health records and history. They are under pressure to refute false claims and respond to amateur diagnoses circulating via various media outlets.

Imagine the following scenario: a celebrity is visiting your hospital after suffering a minor injury. One of your employees lets curiosity get the better of him and accesses the celebrity’s electronic health records (EHRs) without authorization. A protracted lawsuit follows, this cost of a healthcare data breach can cost months of time and hundreds of thousands of dollars. The media covers the scandal extensively, costing your organization even more by giving it bad publicity and driving customers away.

Continuing our Cost of a Breach series that examines and breaks down the cost of a hospital data breach, this week’s post will take a closer look at the first two steps a hospital or healthcare institution must take after a data breach has occurred: forensics and notification. In the aftermath of a data breach, the first thing a healthcare organization must do is determine what electronic health records (EHRs) were illegitimately accessed and who accessed them; this process is known as data forensics. Once the scope of the breach is known, an institution must then notify any affected patients and provide them with specific support services.

After a staggering 11 million patient records were breached in June, July's number of total records breached is back down to April’s levels, at 126,930 records (though nearly half of U.S. states had at least one healthcare data breach incident this month). New this month, we present an analysis of the amount of time a breach goes unreported, finding an average time lapse of two years, with as many as six years elapsing in one case.  

Summer school is still in session! In an effort to help cure vendor fatigue, we’ve decided to put together a Privacy Analytics Primer to demystify all the similar-sounding solutions and phrases out there. We’re focusing on how compliance and security officers can ensure that EHR access is reviewed and patient privacy protected, per 45 CFR 164.308 and 45 CFR 164.312.* Our aim is to help you better determine which type of privacy program is right for your institution.