HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

New Study Highlights Potential Fallout After a Data Breach

The fallout after a data breach is suffered can be considerable. Consumers are willing to switch brands, and while changing healthcare provider or insurance company is not as straightforward, patients and health plan members are also willing to switch healthcare providers after a data breach.

Potential Fallout After a Data Breach is Suffered

State attorneys general and OCR financial penalties can be expected after a data breach is suffered that exposes the Protected Health Information (PHI) of patients and health plan members. Risk mitigation measures must be implemented, including the provision of credit monitoring and identity theft resolution services to breach victims. Breach notification letters must also be mailed. These all carry a significant cost to HIPAA-covered entities.

The cost from loss of business as a result of a data breach is more difficult to predict and quantify, although the potential loss of revenue could well eclipse the cost of breach resolution measures. The potential damage that can be caused to a brand is considerable, and recovering healthcare patient trust can be difficult.

A new study recently conducted by digital security firm Gemalto has highlighted how willing people are to make a change following the exposure of their personal and financial data.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Study Highlights Potential Damage to Brand Reputation After a Data Breach

The worldwide study was conducted on 5,750 individuals from the United States, United Kingdom, Australia, Brazil, Germany, France, and Japan. Respondents were asked how likely they would be to do business with a company after their personal information was stolen. 64% of respondents said they would be unlikely to do business with a company after a data breach resulted in their financial information being stolen. The figure was lower in the case of theft of personal information, but almost half (49%) of respondents said they would change company after the exposure of PII.

Consumers no longer feel that a breach is unlikely to affect them. 19% said they expect their data to be exposed over the course of the next three years. Nearly a third of respondents (31%) said they have already been affected by a data breach.

While a data breach may be expected, consumers are losing patience. They are now much more likely to take action against companies who fail to protect the data they store. Of the respondents who had already had their data exposed, 23% said they have considered taking legal action against the company or already have. Nearly half (49%) of respondents that had not yet had their data exposed said they would consider taking legal action against the company that suffered a data breach.

But how likely is it that patients will switch healthcare providers after a data breach or seek health insurance from another provider?


Patients Are Willing to Switch Healthcare Providers after a Data Breach

For consumers, avoiding a retailer or other business that suffered a security breach is fairly straightforward. Shopping at a different store does not involve much inconvenience. Switching healthcare providers can be more complicated, especially when comparable healthcare facilities are not available locally. Many health insurance subscribers are unable to change as they are tied to a particular company through a workplace health plan. However, if a change is possible, a switch may well be made.

Earlier this year, TransUnion Healthcare conducted a study to determine how likely patients would be to switch providers. The healthcare provider asked 1,000 recent healthcare patients how likely they would be to switch healthcare providers after a data breach was suffered. 65% of patients revealed they would be willing to make the change.

Younger patients were most likely to change, with 73% of the 18-34 age group saying they would consider switching healthcare providers. 64% of the over 55 age group said they would consider making the change.

While action can be taken to reduce the risk of a data breach being suffered, it is impossible to reduce risk to zero. A breach may therefore be suffered nonetheless.

That said, the actions taken immediately after a breach can reduce fallout. Issuing breach notification letters to patients promptly, providing a dedicated website and helpline for patients, and being open and honest with breach victims can all help to reduce bad feeling.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.