Today: How much 5 health systems are paying to settle data breach lawsuits
Episode 3621st February 2023 • This Week Health: Newsroom • This Week Health
00:00:00 00:10:19

Transcripts

  Today in Health it how much Five health systems are paying to settle data breach lawsuits. My name is Bill Russell. I'm a former CIO for a 16 hospital system and creator of this week Health Set of Channels dedicated to keeping Health IT staff current and engaged. We wanna thank our show sponsors who are investing in developing the next generation of health leaders.

ons a family can face. And in:

We have a lot of different drives we're gonna be doing this year. I'm really excited about what we're gonna be doing in March and April, and I will share that at a later time. But what we're doing in. Is we looked at our average download. By month and our channels average about 20,000 downloads per month.

And for the month of February for every download we get over 20,000 downloads. This month we're gonna be giving $1 towards Alex's lemonade stand and the fight against childhood cancer. We want you to be a part of that and it's real easy. Just recommend the show to a friend. Have them take a look at it.

, right now. So it's Tuesday day. Is this gonna air? This is Tuesday, the 20. So we have about a week left. We are, , pretty close to 15,000 downloads. And so we are 5,000 downloads away from hitting our goal of 20,000 and getting beyond that. So, , recommended to a friend, have them check it out,

you can either download our newsroom channel, or. , conference channel. Love to have you do that and help us to raise money for childhood cancer. The goal for this year is $50,000. It's a big stretch goal. That team is really excited about it. Love for you to be a part of it. We're already over $10,000 for this year.

All right, let's get to the story. This story was, , given to me by drex. The, the, you know, Drex is the share of, , health. It just say Drex and everyone knows who you're talking about. But this came from, , Becker's. We're gonna talk about the story itself and then we'll go to Drexel's post on it. Then we're gonna talk a little bit, we'll riff on it a little bit at the end.

le a data breach lawsuit from:

, Kalispell, Montana. Beautiful place. If you haven't been there. , Logan Health Medical Center reached a 4.3 million settlement with patients and employees whose personal and protected health information was likely. Access during a cyber attack. I would be interested to look at these and see what determines why they are so high.

es agreed to pay victims of a:

All right, so Drex took a look at that and here's what he had to. On LinkedIn. I think it's worth, , going through it because a lot of good insight here. So yes, it's the cost of the downtime, inability to build and restore and recovery costs, equipment replacement, incident response costs. Sure there's the loss of confidence from patients, providers, donors, and staff.

And don't forget the risk to patient safety and the massive disruption being added to patients and families who already are in the midst of some of the worst days of their lives. And yes, the, the pylon of additional. For already burned out clinicians who are worried that they'll cause accidental harm to the patient and maybe lose their license and livelihood trying to provide care without the ehr.

Oh, and the tech staff and security team. Speaking of burnout, stress and pressure, it might even include the cost of ransom if you paid it. And of course, the audits, investigations and endless questions from oig, state regulators, insurance banks, boards, and other business partner. And about 30 minutes after there's a hint that maybe you've been breached, the lawsuits start and they go on and on and on until months after you've recovered, assuming you recover.

And finally there's a settlement. And he closes it all out by saying, ransomware sucks. , I love, I love, you know, I could really stop there. I mean, that's a, that's a great, , sort of synopsis of everything that goes on. , , and, and the things you have to take into account. Now, my health system was breached twice, and, and you, you're probably wondering, why would you share that?

, neither, neither of which were preventable in any way, shape, or form. And now why would I say that? Well, , at least preventable by me. The first one was about a week into my interim cio. and we, , had our data showing up on Google searches, and that was a misconfigured, , SharePoint server, I believe.

Yeah, I'm pretty sure. It was a SharePoint server, which was essentially putting our SharePoint data out onto the, , into Google searches. Gives you some idea of the IT environment that I inherited. , and the, , the second breach was we had just acquired a medical. And, , the administrator for the medical group thought she was doing a great thing and she backed up all the records and put it in her purse, and then proceeded to lose her purse, or her purse got stolen.

Something to that effect. We have no indication that any of those records were ever, , compromised or used. , that purse may have gotten thrown away and the cash taken, we have no idea. But again, two reportable incidents while I was cio, the, , the. , , settlements are re and I agree with Drex here. The settlements are really the least of your worries.

The settlements are not, and in the scheme of things are not that great and, , but the. The amount of attention and work, internal audits, external audits, all the things that Drex is talking about here are absolutely true. The loss of trust with the community that you have to restore the questions you get from the board, the additional money you have to spend on cybersecurity, the additional money you have to spend on cybersecurity insurance, , which is now getting pretty costly and out of control.

I mean it, quite frankly, when you read about the settle. and you read that number. If that num number start startles you, you should be more startled by the number that Scripps gave, which was 110 million in lost revenue, , that happened during the outage, , the, , ransomware outage. So there are many more things to consider than just the settlement, but the settlement is, is part of it.

Essentially an admission that you mishandled their data and, , I, you know, I haven't heard of anyone saying to me, I'm not gonna go to that health system because of a breach. , , I believe there is reputational risk that goes along with it, and that may happen at some point in the future, but it's not happening just yet.

, nobody's saying, Hey, how are they using my data? Are they sharing my data? Are they selling my data? Are they putting my DA data in the Google Cloud? Yeah, there's some of that, but very little of that. People do not know they. Kept in the dark in so many areas in healthcare that where their data goes is the the least of their concerns.

They want to know how much they're gonna have to pay. They wanna know how much their bill's gonna be. They want to know if the paper they just received is their bill or not their bill. They are used to being treated like, , second graders who get patted on the head. And told, Hey, don't worry about this.

We've got this covered for you. , all the while we are potentially breaching their data and whatnot. So, yeah, I, I guess my, so what on this is stop treating patients like they're second graders and patting 'em on the head. , be transparent with them about where you sell their data, how you use their data.

, be transparent with them about the data that does get. , and , to a certain extent, I know you can't share your security posture with the external world because the external world is the people who are trying to hack you. , but to the extent that you can reassure your patients that you are investing.

In this area, , you know, and, and follow through on it, right? So this is part of the unwritten contract we have with patients that they can trust us, they can trust us with their health, they can trust us with their data. , they can just trust us. And if we ever lose that position of trust with the community, with the patients, , we're in for a world of hurt.

So that is the one area that we have over the payer. and it's the one area we have over the tech companies right now. They, they may have convenience. They may have, , I don't know. They, they may have other things on us, but they do not have the trust. We are the trusted brand for healthcare in the community and with each one of these breaches, we erode that trust just a little bit.

So all the money you're spending in cybersecurity, all the time you're investing in it is well worth it because it is the foundation of trust with the community. All right, that's all for today. If you know of someone that might benefit from our channel, please forward them. You can do that to raise money for childhood cancer.

You can also do that to, , help us out, , to get our message out there. Our, our mission is to amplify great thinking, to propel healthcare forward, and we do a lot of interviews with great people and we want to get that, , out to as many people as possible. They can subscribe on our website this week, health.com or wherever you listen to podcasts.

Apple, Google Overcast, Spotify, stitch. pretty much everywhere. We wanna thank our channel sponsors who are investing in our mission to develop the next generation of health leaders 📍 short test and art site. Check them out at this week, health.com/today. Thanks for listening. That's all for now.

Chapters

Video

More from YouTube