Healthcare News & Insights

Keep patients after a data breach: 5 notification keys

When healthcare organizations are hit with data breaches, they face not only tangible costs like legal fees, but also other consequences that are more difficult to measure, such as damage to the organization’s reputation and lost patients. That’s why it’s critical to properly respond after a breach. 

As criminals get better at stealing data, more people are being personally affected by data breaches. Meanwhile, laws have made it mandatory for organizations to report many kinds of breaches to agencies and potential victims. That’s especially the case in healthcare, where organizations have strict mandates to report security incidents.

In a 2005 survey conducted by the Ponemon Institute, 12% of respondents said they’d been contacted about a breach involving their personal information. In a similar survey this year, that number more than doubled, with 25% of the 2,800 survey respondents saying they have been notified about a breach.

And given the value of health information for criminals, it’s no surprise that many of those breaches took place at healthcare organizations. In fact, 10% of people affected by a breach said their medical or healthcare records were taken.

How did that affect the way people feel about an organization? Among respondents who were affected by a breach:

  • 62% said it decreased their trust and confidence in the organization
  • 39% might discontinue their relationship with the organization
  • 35% will stick with the organization as long as it doesn’t happen again, and
  • 15% will or already have cut ties with the organization.

The way breach victims are notified can have a big impact on how they feel — and whether they remain patients. Yet just 28% of people said they were happy with how they were told about a breach. Here are some steps healthcare organizations can take to improve their data breach notification:

1. Provide all the facts — People care about the security of their personal information, and when it’s at risk, they want all relevant information. However, 58% of people said the notification they received did not include all the facts and “sugar coated” the message.

2. Be clear — Just 48% of people said the breach notifications they’ve received were easy to understand. In addition, 62% said they were too long and poorly written, and 53% said they contained too much “legalese.” It’s important to not only present all the facts, but also present them in a way the average patient can comprehend.

3. Let people know what your organization is doing — When asked what key facts were missing from breach notifications, 51% of respondents said they weren’t told about the protections that were being provided to protect victims from financial damage. Offering that information will let victims know the organization cares about the dangers patients face.

4. Explain the risks and offer advice — Another 25% said they weren’t given information about what steps they should be taking. Explaining the risks people may face and telling them what they can do about it will help reduce fear and confusion.

5. Offer financial help — Most people believe a data breach makes it likely that they will be the victim of identity theft. Therefore, the majority expect some kind of reimbursement, with 63% saying they should be paid for their troubles. While that may not be realistic, 56% said organizations should offer credit monitoring services to breach victims, which is a step many experts recommend.

For more information, download Ponemon’s study here.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.