Breaches happen.

The Mistake. 

An employee of a medical billing firm lost his laptop while working off-site. The laptop contained personal data on 6,500 patients. State law requires notification by certified mail to all impacted individuals that their confidential information may have been breached. To mitigate future claims and restore its image with patients, the physician group also offered free credit monitoring to all impacted patients for a three-year period. The total cost for the notification and credit monitoring exceeded $82,500. The physician group demanded that the medical billing firm reimburse them for that cost. In the meantime, two patients experienced identity theft despite the credit monitoring service. The patients each hired lawyers to take action against the physician group. While it was never proven that the lost laptop was the cause of the identity theft, the physicians group was forced to defend the allegation, and ultimately settled to avoid the distraction and costs of a legal battle.

The Consequences

Medical Billing Firm
Deductible: $5,000 Lost work time: 15 days = $12,000
Lost Client: $18,000
Increase to E&O premium at renewal: $6,000
Total: $41,000

Defense costs: $22,000
Indemnity: $102,500 ($82,500 for costs, $20k to settle two lawsuits)
Total cost to carrier: $119,500 (after Agency deductible)
Total Costs of Claim: $160,500

The Avoidance

  • Remove sensitive data from laptops.
  • Use shared server access via the web.
  • Separate confidential data from identity information so one without the other is useless.