Post Detail

August 29, 2023 in Compliance

Managing the Legal Risks of a Healthcare Data Breach [Guest Post]

Managing the Legal Risks of a Healthcare Data Breach

Cyberattacks are common across different industries, including healthcare. This puts critical personal and medical information in the hands of criminals, but it also costs health companies a considerable amount of money. Today, healthcare data breaches cost an average of $10.93 million. This amount can be attributed to paying fines for violating HIPAA, handling immediate damages, and managing patients’ lawsuits.

Fortunately, on the legal side of data breaches, there are a few ways that healthcare companies can manage risks and prevent further damage:

Focus on incident response
With healthcare companies handling millions of patients’ information, implementing a cyber incident response plan is crucial. The HIPAA requires healthcare companies to develop this plan to remain in compliance. It should be comprised of a data backup plan, a disaster recovery plan, and an emergency mode operation plan. In the event of a cyberattack, this will allow you to act quickly and avoid additional damage that will endanger more data and may result in more lawsuits or trials.

Take the ARCare data breach in 2022 as an example. Cybercriminals accessed their data multiple times, enabling them to steal patient records. As a result, ARCare reviewed its data security practices, considered superior risk mitigation strategies, and questioned its lack of response plans before the breach.

Adhere to state and federal data breach laws
Upon experiencing a data breach, the first thing to do is follow the protocols laid out by state and federal law. That way, companies prevent further damage that can put more data in danger and risk their compliance with these policies.

On the federal level, health apps and device companies collecting information must comply with the Health Breach Notification Rule. This requires notifying patients of the breach. Meanwhile, state laws vary. Colorado’s Consumer Data Protection Laws, for instance, require notifying the Office of the Attorney General if the breach involves more than 500 patients.

In 2015, UCLA Health was fined $7.5 million for failure to report the breach on time, which it could’ve controlled by following these laws and implementing thorough investigations.

Document your chain of custody
A healthcare company can face further legal actions due to malpractice, mishandling of data, and its actions after a cyberattack. This makes documenting your chain of custody essential. The process involves recording the chronological sequence of custody, control, analysis, and transfer of physical and digital evidence involved in the breach. Proper documentation can help authorities validate your claims, which is crucial in trials.

A typical chain of custody document includes the date and time of evidence collection, names of investigators, types of media involved, descriptions of the affected device, and names of the collected files. Take note of these details to improve the integrity of your chain of custody and avoid incidents such as those experienced by Trinity Health.

In 2020, Trinity Health’s third-party software partner—Blackbaud—complied with cybercriminals’ demands in exchange for the stolen data and the deletion of its copies. Since a chain of custody was not created for this incident, there is no guarantee it actually occurred—and the event was named the largest data breach that year involving 3.3 million patients.

Collaborate with security professionals
After the initial reports, data collection, and other immediate processes are over, you need to reassess your computers and software systems, post-breach procedures, and other processes to avoid repeats of the incident.

It would help to collaborate with security professionals, especially those who work in healthcare and have extensive IT experience, to improve the security of your data systems. They may recommend a patient statement technology, like billing platforms that offer zero-knowledge authentication to the provider and patient. This authentication type eliminates the need to remember and store passwords on a server where cybercriminals can access them.

MailMyStatements is a platform that offers this service. It is also HITRUST Certified, meaning it is confirmed to have the highest levels of healthcare information security. In the future, using technologies like these could help you impede further legal complications.

The legal risks of healthcare data breaches are expensive, time-consuming, and stressful for the involved parties. Luckily, you can manage these risks by following the procedures above.

Written by Hailey Waters for


By browsing this website, you agree to our privacy policy.
I Agree