A case in point is the mega-breach at Blue Cross Blue Shield of Tennessee back in 2009. That October, a scallywag (or two) walked away with some spinning servers at a remote employee training site. It took the payer well into 2010 to determine by forensic analysis that slightly more than 1 million members' records had been compromised.
And although the cost per record was far lower than the conventional wisdom might allow—maybe less than $10 a record—who in his right mind would swap checks with the Blues on this debacle? The final tab came to "almost $10 million," according to Mary Danielson, manager of corporate communications for the Chattanooga-based plan.
Given the variables, Economidis and Diamond took their best shot at explaining where the money will flow after a breach.
"If there is a threat of harm, you have to send letter of notification," Economidis said. "Those are about $1 to $2 per person. You're going to have some legal costs to determine your liability. I'd ballpark that at under $25,000. If it involves credit information, you might want to offer credit monitoring. That's $25 to $30 for everyone who enrolls," he said. Commonly, only 20% to 25% who are offered credit monitoring take it, he said.
But if the breach involves employee records or criminal activity, such as using the stolen records for identity theft, the credit monitoring enrollment rates can spike, Diamond said.
After that, the costs are "really difficult to predict and are incident-specific," Economidis said. "You need to find out what was lost." And that could require bringing in teams of specialists in computer forensics as the Tennessee Blues plan did. The cost of a forensic expert can run $3,500 to $5,000 a day.
Then come the real wild cards—what other people might do.
"There is always a chance someone is going to make a claim against you," Economidis said. "It could be a regulatory action. "It could be a state attorney general." Attorneys general, you may recall, were empowered in 2009 under the American Recovery and Reinvestment Act of 2009 to bring enforcement actions under HIPAA on behalf of the feds.
In addition, most states have their own breach laws with penalties.
Follow Joseph Conn on Twitter: @MHJConn.