When millions of patients have data stolen investors are not your primary audience
There’s no better proof that cyber crises are on the rise than the recent series of posts on this blog, starting with the discovery of a cache of 1.2 million stolen login credentials, followed by the Homeland Security breach exposing personal information on 25,000+ government workers, and now this one, discussing the revelation of an absolutely massive data breach that’s put 4.5 million patient records in the hands of criminals.
Community Health Systems, which operates 206 hospitals across the United States, announced on Monday that hackers recently broke into its computers and stole data on 4.5 million patients.
Hackers have gained access to their names, Social Security numbers, physical addresses, birthdays and telephone numbers.
Anyone who received treatment from a physician’s office tied to a network-owned hospital in the last five years — or was merely referred there by an outside doctor — is affected.
The specific data involved means every person affected is at high risk for identity fraud, and means that not only can attorney generals from affected states sue, but also the patients themselves.
Community Health Systems is clamming up, with nothing on its website or in its press room to indicate there’s a crisis in progress at all. The one statement it has issued came in the form of a filing with the SEC, making clear that the only audience the organization is concerned about is its shareholders.
The Company has confirmed that this data did not include patient credit card, medical or clinical information; the data is, however, considered protected under the Health Insurance Portability and Accountability Act (“HIPAA”) because it includes patient names, addresses, birthdates, telephone numbers and social security numbers. The Company is providing appropriate notification to affected patients and regulatory agencies as required by federal and state law. The Company will also be offering identity theft protection services to individuals affected by this attack. The Company carries cyber/privacy liability insurance to protect it against certain losses related to matters of this nature. While this matter may result in remediation expenses, regulatory inquiries, litigation and other liabilities, at this time, the Company does not believe this incident will have a material adverse effect on its business or financial results.
Speaking only to investors and neglecting the concerns of the affected patients is a foolish move, but not one that’s entirely unusual coming from a sector that’s been slow to adjust to modern crisis management.
In all honesty, we would guess that data breach fatigue will prevent a major public uproar over this incident, but that doesn’t mean Community Health Systems won’t be at serious risk of taking financial damage from a deluge of lawsuits, or being tangled up in several years’ worth of legal procedures, once the hackers start making use of the stolen data. Compounding the situation is the organization’s failure to show any care or compassion for the patients affected, something that’s sure to leave them feeling less than sympathetic.
At this point it’s not a question of if you’ll have a data crisis, but when. While you can’t always prevent determined hackers from doing what they will, the better your preparation is, the more damage will be minimized, and the better your reputation, and bottom line, will come out in the end.
For more resources, see the Free Management Library topic: Crisis Management
[Jonathan Bernstein is president of Bernstein Crisis Management, Inc., an international crisis management consultancy, author of Manager’s Guide to Crisis Management and Keeping the Wolves at Bay – Media Training. Erik Bernstein is Social Media Manager for the firm, and also editor of its newsletter, Crisis Manager]