The going rate for a compromised medical record seems to be $1000 (well, at least that's the asking price) as seen in papers filed in the eleven class action lawsuits against Sutter Health following the theft of a desktop computer last fall. The computer contained unencrypted protected health information on about 4.24 million members. The eleven class action suits are likely to be consolidated for ease of handling by the courts.
For an outfit whose most recently reported year-end financials show just under $900 million in income on just over $9 billion in revenue, a $4.24 billion claim certainly qualifies as a big deal. The data breach claims against Sutter Health were filed last year following its self-reporting of the computer theft, and are in the news again due to the potential consolidation.
The company had reportedly begun to encrypt its data last year, starting with more vulnerable mobile devices, and moving on to desktop computers, but had not gotten to the desktop in question by the time of the breach. It remains to be seen how these facts end up affecting the final damages awarded in this case.
The takeaway for other covered entities and business associates out there: If the OCR HIPAA audits aren't enough of a motivation to get cracking with beefed-up data privacy and security protections, the potential exposure of Sutter Health in this class action suit should be reason enough to get started on this work as soon as possible, and to make it a high priority. Suits like these may be grounded both in state law and in indirect theories flowing from HIPAA/HITECH breaches (since there is no private right of action under HIPAA). The exposure is there, and a number's been put out there to quantify it. However expensive and inconvenient data encryption and other privacy and security measures may be, they are surely worth avoiding $1,000-a-head lawsuits and months of negative publicity.
David Harlow
The Harlow Group LLC
Health Care Law and Consulting