$6.85 Million HIPAA Fine Still Won't Change Bad Behavior
HIPAA Regulator HHS-OCR just issued their second-largest enforcement settlement: $6.85 million against Premera Blue Cross (PBC) for a 2015 breach affecting 10.5 million individuals. For HIPAA enforcement, it’s impressive. Yet it is just a drop in the bucket for PBC and does ALMOST NOTHING to deter similar cases.
Before I get into the numbers, a disclaimer, so we can all have the same conversation. This is not an article about PBC, what they did or didn’t do or should have done. PBC is the unfortunate stand-in for what I see as a fundamental challenge in the HIPAA regulatory space (and to an extent with data privacy regulations globally).
Which is this: In many cases, it is still less costly to ignore compliance and risk a future fine than it is to invest in the necessary compliance activities year after year.
Why? Let’s break it down.
3% Percent of Annual Income
Latest available PBC annual net income (CY2018) was $234 million. PBC net worth on 12/31/2018 was $2.35 BILLION.
So… this settlement is about 3% of annual net income or 0.3% of net worth.
To put that in perspective: The median household income where I live is about $64,000/yr. (Net income is an entirely different story.) Three percent is just shy of $2,000. So this HIPAA settlement is the equivalent of an extra mortgage payment, a roof repair, or an unhappy surprise on tax day. Sure it hurts in the moment, but you move on without any soul-searching.
Pennies per Patient
Looking at it another way, a $6.85M fine for loss of 10.4M medical records – including social security numbers and detailed medical information – will cost PBC just $0.66 per patient. Sixty-six cents.
Just $400,000 Per Year
To slice this from one more angle: the HIPAA Security Rule went into effect in 2003. Thus, seventeen years of compliance obligations for PBC. If we annualize the HIPAA settlement over 17 years, PBC is only paying $400,000 per year.
For those keeping score, that’s a mere 0.17% of their PBC’s 2018 net income. (Or the same as $100 for our median household above.)
In an alternate universe, PBC could have used that $400k/yr to hire 3-5 more infosec and compliance professionals. Would an additional $400k/year have prevented the breach? Would they have maintained proper and effective compliance?
Maybe. Maybe not.
Sure, it would have helped. But you cannot unequivocally argue that $400,000 extra spend per year in a multi-billion-dollar company would have significantly reduced their breach risk or increased their compliance.
Rolling the Dice
Ultimately, what happened is that PBC took a series of gambles. Instead of spending resources to create stronger security controls and a proper HIPAA compliance program, they gambled…
- That they wouldn’t have a major breach,
- That if they did have a breach they wouldn’t also receive a HIPAA compliance penalty, and finally
- That if they did get a HIPAA compliance penalty, the cost wouldn’t be consequential.
Well, they lost the first two bets. They did have a major breach. They did receive a HIPAA compliance penalty. But I’m not convinced the penalty is consequential.
They “lost”, but really they just broke even. Ignoring HIPAA compliance cost them about the same as maintaining a HIPAA compliance program would have (if not less). As an objective, amoral risk calculation, PBC’s decision to forego a strong compliance program therefore makes sense.
This is not a good precedent for encouraging HIPAA compliance in other organizations.
So What Did Hurt?
PBC’s real sting came from a class-action lawsuit filed under multiple state privacy laws. The settlement eventually totaled $74 million, including $32 million in damages and $42 million in required security improvements.
This settlement, at 10x the HIPAA fine, is much more likely to impact future security not only at PBC but for others watching.
Interestingly, state data privacy regulations were the driving factor here, not the federal HIPAA regulations. HIPAA denies “private right of action” and restricts enforcement to the federal regulators at the HHS Office of Civil Rights and to state Attorneys General. Affected individuals cannot sue under HIPAA.
What the Class in this lawsuit did, and what we’re starting to see elsewhere, was to sue under state data privacy laws and reference HIPAA compliance issues as evidence of endemic disregard for data privacy and security.
This settlement plus the incident response expenses and immediate breach fallout – these impacts may lead to more security investment by boards and C-Suites.
In other words, the consequences of the security failures are expensive. The consequences of the compliance failures are not.
Regulations Without Teeth
The logical conclusion being: HIPAA compliance enforcement is of limited value in driving healthcare information security.
I cannot blame HHS Office of Civil Rights for this state of affairs and the fact that even their “historic” HIPAA enforcement actions have meager effect. Their hands are tied by the regulations.
Nor do I think that more regulations are necessarily the answer.
But if we are going to have a regulation, shouldn’t we expect it to actually affect the behaviors it was designed to change? Including by having the teeth to enforce meaningful penalties on those who ignore the rules?
What is the point of a regulation without teeth?
Yes, regulations are valuable in defining minimum standards of care and some level of enforceable expectations. But, at the end of the day, compliance does not equal security. Never has, probably never will.
Many organizations ignore or dismiss compliance requirements.
Other organizations complete their compliance requirements and hope they have become secure.
The best organizations prioritize effective and risk-driven security programs, realizing that by doing so, they make compliance easy.
As for me, I’ll continue to quixotically dream of a world in which we all implement information security in our organizations because it is the decent and honorable thing to do, a way to show respect to those around us, and our duty as responsible netizens.
Now excuse me while I go look for another windmill…