Study Confirms Why Prompt Data Breach Notifications Are So Important

When healthcare organizations experience a data breach it is understandable that breach victims will be upset and angry. Information is provided to healthcare organizations in the understanding that safeguards have been implemented to keep that information private and confidential.

When patients and health plan members learn that their sensitive, private information has been exposed or stolen, many choose to take their business elsewhere.

According to a new study* by the credit reporting agency Experian, if the breach response is properly managed and the breached entity is transparent and issues notifications promptly, customer churn rate can be kept to an absolute minimum.

The Health Insurance Portability and Accountability Act’s (HIPAA) Breach Notification Rule requires notifications to be issued to breach victims ‘without unreasonable delay’ and no later than 60 days from the discovery of the breach. However, a majority of patients expect to be notified much more quickly. The study showed 73% of patients/plan members expect to be notified about a breach within 24 hours of the breach being discovered.

Prompt data breach notifications can make a big difference. Patients and plan members are likely to be much more forgiving if they are informed about a data breach promptly. 90% of respondents said they would be somewhat forgiving if they knew that the breached organization had a plan in place for communicating with patients in the event of a data breach, but many organizations are not prepared for the worst.

Previous research conducted by Experian suggests 34% of breach response plans do not include customer notification and only 52% of companies have a data breach crisis or communications plan in place. If the communications team is made aware in advance of notification requirements, the people responsible for the communications are mapped out, and approval processes are planned in advance, it will allow notifications to be issued much more quickly.

While incredibly fast breach notifications are expected, in practice it is often not possible to issue notifications in such a short time frame. A phishing attack that results in an email account being subjected to unauthorized access requires every email in that email account to be checked for PHI. It is not always possible to automate that search effectively and manual checks are often required. It is therefore important to start investigations promptly, yet 84% of businesses did not include forensic analysis in their breach response plans which can lead to delays in issuing notifications.

Slow and ineffective communication is likely to add insult to injury following a data breach. 66% of respondents said slow breach notification and poor communication would likely see them stop doing business with the breached entity, and 45% of respondents would not only seek an alternative service provider, they would also instruct their friends and family members to do the same.

*Data for the report came from an Experian survey of 1,000 adults in the United States by consultancy firm KRC Research in July 2019.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.