Prompt Notification Reduces Data Breach Fallout, Consumer Impact
September 05, 2019 - A recent report from Experian determined that consumers are more likely to forgive organizations that experience a breach when they receive timely notification.
Consultancy KRC Research surveyed 1,000 US individuals on behalf of Experian to gain insight into the impact of data breaches from the viewpoint of consumers. According to the research, consumers are more likely to stay with a business if the response to a breach is prompt, transparent, and properly managed.
In fact, 90 percent responded that they’d be more forgiving of a breached business if they had a communication plan in place beforehand. Just 57 percent said they’d be “somewhat” forgiving under the same circumstance. The report also showed older respondents were much more likely to forgive a breach. However, many organizations do not plan ahead, especially in the healthcare industry.
There’s still an overwhelming number of healthcare provider organizations, covered entities, and business associates that fail to timely respond to breaches, despite the HIPAA rule that organizations must report a breach within 60 days of discovery.
A CynergisTek report from the spring showed HIPAA conformance among healthcare providers declined by 2 percent last year, with just 72 percent conforming to HIPAA.
“Given the threat environment we operate in today where literally some percentage of almost everything computerized is a threat, the inability to effectively discover and respond to events is a real issue,” former CynergisTek CEO Mac McMillan wrote in the report.
In May, the Department of Health and Human Services Office for Civil Rights handed Touchstone Medical Imaging a $3 million civil monetary penalty for its 2014 breach. One of the audit findings showed that the provider took 147 days to notify patients that their data was compromised.
What’s more, in several recent lawsuits stemming from healthcare data breaches, patients have cited a lack of timely notification as part of the reason for filing suit, such as the recent lawsuit against the American Medical Collection Agency, Quest, and LabCorp. AMCA was hacked for eight months, which impacted about 20 providers and potentially 25 million patients.
The Experian report showed that if breached organizations were more proactive in their communications, consumers would be more forgiving. Poor communication and slow notification would likely stop 66 percent of respondents from continuing to do business with the organization.
Another 45 percent said they would seek an alternative service provider and tell their friends and family to do the same.
About 73 percent of respondents said they expect to be notified if their health provider was breached within 24 hours, compared with 83 percent for financial services, 75 percent for a government agency, and 61 percent for a retailer.
And 70 percent of consumers would prefer to hear about the breach directly from the breached organization, rather than hearing about it from the media. Most would also leverage free credit monitoring services provided by the breached organization.
“The lesson is that it is better to get notice out timely than to worry about having full knowledge and details of the breach,” healthcare attorney with Clark Hill Strasburger, Corinne Smith, told HealthITSecurity.com in May. “Timing begins on when it is known, not when the investigation is complete — even if it is initially unclear whether the incident constitutes a breach as defined in the rule.”
“The 60 days is an outer limit, and in some cases, it may be an unreasonable delay to wait 60 days,” she added. “It’s not a good idea to wait until your forensics investigation is complete before thinking about providing notice. “It’s best to run parallel tracks – one preparing to notify patients and the other running the investigation.”
Gloss