Why Immediate Data Breach Notifications Are Very Important to Customers

When healthcare providers encounter a data breach, breach victims will naturally be annoyed and upset. People provide their data to healthcare organizations with the understanding that they implement safeguards to protect that information.

Whenever patients and health plan members find out about the exposure or theft of their sensitive, private data, many decide to have their business somewhere else.

Credit reporting company Experian’s new study reveals that when the breached entity effectively manages its breach response, practices transparency and issues notifications punctually, customer churn rate is kept to a minimum.

The Health Insurance Portability and Accountability Act’s (HIPAA) Breach Notification Rule calls for the issuance of notifications to breach victims up to 60 days from the discovery of the breach and ‘without unreasonable delay.’ But, most of the patients want notifications to come much more quickly. According to the study, 73% of patients/plan members hope to be informed about a breach in 24 hours after the breach discovery.

Immediate data breach notifications have a big impact. Patients and plan members tend to be more forgiving when informed promptly. 90% of study participants said they will be forgiving if the breached organization has a program set up for communicating breach information with the patients. However, a lot of organizations are not ready to handle breaches.

An earlier research study by Experian showed that 34% of breach response plans have no customer notification procedure and merely 52% of organizations have set up a data breach crisis or communications program. When the communications team knows beforehand the notification requirements, the people in charge of the communications are mapped out, and authorization procedures are prepared ahead of time, it will issue notifications faster.

While extremely fast breach notifications are envisioned, in reality, it is frequently not possible to send notifications quickly. A phishing attack resulting in the unauthorized access of an email account requires the checking for PHI in every email message in that email account. It isn’t generally feasible to fast track that search as manual checks is usually necessary. It is hence essential to begin investigations immediately, yet 84% of businesses failed to do forensic analysis in their breach response programs which could bring about delays in sending notifications.

Slow and inefficient communication is most likely to add more problems right after a data breach. 66% of study participants said they would likely end doing business with the breached entity if their breach notification and communication practices are terrible. 45% of study participants would not just look for a substitute service provider, they would additionally tell their friends and family to do so too.

About Christine Garcia 1295 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA