Risk Assessment: Crown Jewel PHI Database Breach at a Healthcare Payer Organization

May 3, 2021  Jeff B. Copeland

Healthcare Data - Risk Assessment- Crown Jewel PHI Database Breach at a Healthcare Payer OrganizationThe numbers were staggering in 2020.

According to reporting to the HHS OCR:  

  • An average of nearly two data breaches of 500 or more records at a health-industry organization every day.  
  • 92% of breached records were stolen by malicious actors 

The average cost of a healthcare data breach was $7.13 million in 2020, IBM research found.  

And a headline scan finds a disturbingly wide array of attack methods coming at healthcare payers and providers recently, not just the typical foothold through phishing, but from hard-to-anticipate directions such as third-party vendors, as in the recent large-scale breaches through Blackbaud (cloud computing services) and Accellion (file transfer app). Just this month, the managed service provider for CareFirst BlueCross BlueShield Community Health Plan - District of Columbia (CHPDC) lost control of PHI for 200,000 patients.  

The financial effects of a data breach at a healthcare payer can go on for years: The 2014 breach at Premera Blue Cross was finally settled with a $6.8 million penalty paid to the OCR and $74 million to settle lawsuits, five and six years later.  

One more relevant stat, from the IBM study on the cost of a data breach: About half the time, the CISO is held responsible for the breach.  

We created the RiskLens Cybersecurity Prioritization & Justification Solution for Healthcare Payers on the RiskLens platform to help payer CISOs  

  • Address their organizations’ most significant business risks  
  • Ensure that their budgets are being deployed efficiently and effectively, and  
  • Communicate their priorities to stakeholders in the financial language of the business.  

Contact us for a demo  

RiskLens Platform - Workshop Questions

The solution comes pre-packaged with data and content to accelerate risk management for the most critical risks faced by health insurance company CISOs – first and foremost, the breach of a crown jewel PHI database. 

The RiskLens healthcare payer solution includes: 

  • The most comprehensive set of data-breach metrics ever assembled for healthcare payers to use in cyber risk analysis, covering probable frequency of attacks, vulnerability to attack, expected costs of incident response, fines and judgements and more. 
  • A guided workflow to construct data breach risk scenarios specific to your crown jewel PHI assets and likely attacks, then to fill in the relevant metrics to produce quantitative risk analyses showing loss exposure in dollar terms.  
  • Capability to run comparative analyses to see potential effect on loss exposure in dollar terms from adding (or removing) controls and processes, making genuine cost/benefit analysis possible.  

RiskLens Platform - Risk Treatment Analysis  2 - Comparison - Quantify Key Cyber Risks for New Acquisitions copyWhile the recent incident history for healthcare payers says that data breach attack is a question of when, not if, the RiskLens solution enables CISOs to make their best (and most transparent) decisions on defending the organization’s PHI and PII crown jewels.  

Contact us for a demo of the Cybersecurity Prioritization & Justification Solution for Healthcare Payers. 


Case Study: Evaluating ROI of Data Loss Prevention Controls

Assessing the Risk of a Ransomware Attack on a Healthcare Payer with the RiskLens Risk Quantification Platform