Data breaches have become commonplace in every industry. In health care, however, it costs much more to respond to a data breach than in all other industries in this country, according to the results of a recent IBM-sponsored study.1  The report estimates that a health care data breach costs $380 per record on average versus $225 per record in other industries. While the increased cost of a health care record is unavoidable due to the sensitive nature of the information and the fact that it is more valuable to criminals on the dark web, health care providers can take steps to prepare for a data breach, which can reduce the risk of a breach occurring and minimize costs if one occurs.

First, be prepared. Entities should have a plan for responding to breaches that mobilizes an incident response team and identifies the most critical parties to contact: IT forensic vendor, legal counsel and your insurance broker. Health care providers and businesses will be best served by having an existing relationship with an IT vendor that can be available on a 24-hour basis to handle cyber security incidents; you do not want to be Googling “cyber security IT vendor” at 8 PM on a Friday night after discovering a breach that cannot be managed internally. As for legal counsel, a skilled data breach lawyer will serve as the quarterback of the data breach response operation, determine legal obligations under various state and federal laws, offer attorney client privilege protection under certain circumstances and assist with a strategy to mitigate overall risk. Obviously, your insurance broker will help you access any available coverage your business may have (and you should have cyber liability coverage).

Second, comply with the HIPAA Security Rule. Many of the required measures under the HIPAA Security Rule will help reduce the risk of a breach of protected health information (PHI). Among other things, the rule calls for an assessment of all systems where PHI is stored, employee training on security and the implementation of policies and procedures that address the security of PHI and disaster recovery planning.

Finally, practice. We do fire drills because we want to be sure that people will know what to do in the event of a fire. The same is true of data breaches. Gather your incident response team and run through a breach scenario. Then, evaluate your plan to determine if it needs changes based on the results of the drill.

In today’s world, all industries need to be prepared to respond to a data breach but given the increased risk and cost, health care providers need to move this item to the top of the list.


1 Ponemon Institute’s 2017 Cost of Data Breach Study: Global Overview, sponsored by IBM Security.

Photo of Dena M. Castricone Dena M. Castricone

Dena M. Castricone, CIPP/US is the chair of the Privacy and Cybersecurity group and a member of the Long Term Care and Health Care groups.  She also serves as Chair of the firm’s Women Expanding Business initiative and co-chair of the firm’s Pro Bono Committee.  Prior to joining Murtha Cullina, Dena served as a law clerk to the Chief Justice of the Rhode Island Supreme Court, Frank J. Williams.

As the Chair of the Privacy and Cybersecurity group and a Certified Information Privacy Professional (CIPP/US), Dena provides the full complement of data breach coaching services to business and health care clients including breach notification to individuals and various government entities.  Related to data breaches, she also counsels clients on the creation of information security, incident response plans and other proactive measures.  Additionally, Dena advises clients on compliance with state, federal and international privacy laws including the General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA) as well as many others. Dena has written extensively on privacy and cybersecurity issues and she is the Co-Editor of Privacy and Cybersecurity PerspectivesRead More

Photo of Daniel J. Kagan Daniel J. Kagan

Dan Kagan is an Associate in the Health Care, Long Term Care and Privacy and Cybersecurity Groups. He represents hospitals, physicians, nursing homes, assisted living communities, CCRCs and other health care clients with a wide range of regulatory, compliance, risk management, transactional and reimbursement issues.

With regard to Privacy and Cybersecurity, Dan has experience drafting privacy policies and notices, website terms of use, written information security plans and incident response plans.  Dan counsels clients on compliance issues related to state, federal and international privacy laws including the General Data Protection Regulation (GDPR).  Dan also has experience representing both health care and non-health care clients that have suffered data breaches and assists such clients with breach response and applicable reporting obligations.  Dan writes extensively on privacy and cybersecurity issues and is a co-editor of Murtha’s Privacy and Cybersecurity Perspectives blog.

As a member of the Health Care and Long Term Care groups, Dan has experience representing clients with HIPAA compliance, Stark and anti-kickback analyses, purchase and sale transactions, reviewing and drafting contracts, certificate of need requirements, rate appeals, Medicare and Medicaid audits, medical staff and credentialing matters, licensing and change of ownership proceedings.

Prior to joining Murtha Cullina, Dan clerked for the Honorable Lubbie Harper, Jr. and the Honorable Joseph H. Pellegrino of the Connecticut Appellate Court.

Dan received his J.D. with honors from the University of Connecticut School of Law where he was a Notes and Comments Editor for the Connecticut Insurance Law Journal. He earned his Bachelor of Arts in Economics from McGill University.