Is it safe to keep using services from an organization after a data breach?

According to a comprehensive study ‘Privacy please: Power distance and people’s responses to data breaches across countries’ published in the Journal of International Business Studies, individuals’ willingness to continue patronizing a business after a data breach varies across cultures and is influenced by perceptions of privacy, trust, and the organization’s response to the breach. The study specifically states, “We propose that power distance affects people’s attributions of data ownership, and this, in turn, shapes their willingness to continue patronizing a business after a data breach.”

In the United States, the study notes, a large majority of consumers express reluctance to continue using services from a breached organization, with 71% stating they would stop doing business with a firm that mishandled sensitive data. This high level of concern is likely due to the sensitive nature of healthcare data. It shows that while some users may choose to continue using services, often due to lack of alternatives, convenience, or perceived improvements in security, many others will discontinue their relationship with the organization.

The decision to continue using services from a breached healthcare organization should be based on a careful assessment of the organization’s response, the effectiveness of remedial actions, regulatory compliance, and one’s own risk tolerance. While it is possible for organizations to recover from a breach and restore trust. It is not inherently ‘safe’ to continue using services after a data breach, but it can be considered reasonable.

The reality of healthcare data breaches

A collaborative analysis looking at data breaches published in Healthcare (Basel), over a 15-year period from 2005 to 2019, there were 6,355 reported data breach incidents across all sectors, with the healthcare industry alone accounting for 3,912 of these incidents, representing 61.55% of the total. The prevalence underscores the healthcare sector’s vulnerability to data pilfering, driven by the high value and sensitivity of health records on the black market.

In the year 2019 alone, 41.2 million healthcare records were exposed, stolen, or illegally disclosed in 505 distinct breaches. Looking at a broader timeframe, from 2010 to 2019, the total number of individuals affected by healthcare data breaches reached 255.18 million, based on HIPAA and OCR reports. 

The year 2015 saw a dramatic spike, with 110.7 million records compromised in just 289 breaches, accounting for over 40% of all health records exposed during the decade. This trend of large-scale breaches has continued, with hacking and IT incidents becoming increasingly prevalent. Between 2016 and 2019, 81.85% of all hacking-related breaches in the healthcare sector occurred, with 32.23% of these incidents reported in 2019 alone.

While theft and loss of physical devices or records were once the leading causes, recent years have seen a surge in hacking and IT-related incidents, which now account for the majority of compromised records. From 2010 to 2019, 29.72% of breach incidents were due to hacking or IT incidents, and in the last five years of that period, over 92% of exposed records were attributed to such attacks. Unauthorized internal disclosures have also increased, accounting for 29.47% of breach incidents, while theft and loss have shown a relative decline.

The immediate consequences of a healthcare data breach

The 2015 breach of Anthem Inc., one of the largest U.S. health insurers, compromised the personal information of nearly 79 million individuals. The breach led to immediate public outcry, loss of consumer confidence, and a drop in stock prices. Anthem faced multiple lawsuits and regulatory investigations, costing hundreds of millions in settlements and remediation.

Similarly, in 2020, the University of California San Francisco (UCSF) paid a $1.14 million ransom after a ransomware attack encrypted patient data. The attack disrupted hospital operations, delayed care, and exposed vulnerabilities in cybersecurity defenses.

These examples show that breaches can cause immediate operational paralysis, forcing organizations to divert resources to incident response rather than patient care. They also show the psychological impact on patients, who may fear identity theft or misuse of their health data.

Why the organization's response matters

Legally, under HIPAA and the HITECH Act, business associates have explicit obligations to protect electronic protected health information (ePHI) and to promptly notify covered entities of any breaches involving unsecured PHI without unreasonable delay, and no later than 60 days after discovery. 

Ethically, the response of business associates matters because patient data are highly sensitive and personal, often including information about mental health, substance abuse, reproductive health, and other vulnerable aspects that, if disclosed improperly, can lead to stigmatization, discrimination, or denial of care. 

The ethical duty to protect patient confidentiality extends beyond legal mandates; it reflects the fundamental principle of justice and respect for persons in healthcare. An Interactive Journal of Medical Research study on the topic of the ethical challenges of patient data ownership notes, “Ethical stewardship requires business associates to act transparently, promptly investigate breaches, and collaborate with covered entities to limit damage. Moreover, the ethical responsibility includes safeguarding data during sharing and ensuring that patient consent and privacy preferences are respected wherever possible.” 

Ethical stewardship requires business associates to act transparently, promptly investigate breaches, and collaborate with covered entities to limit damage. 

Examples of effective responses from business associates 

OneTouchPoint (OTP), a third-party mailing and printing vendor, experienced a breach in July 2022 affecting 2.6 million individuals. Although OTP initially delayed notifying affected clients and patients, the incident revealed the need for rapid breach detection and communication. Following public scrutiny and a class-action lawsuit, OTP and its healthcare clients have since prioritized annual security policy reviews and ensuring that business associates maintain HIPAA compliance to prevent future incidents.

Another example is the response to the Shields Healthcare Group breach in March 2022, where an attacker accessed the network for nearly two weeks. The company’s security alert system detected suspicious activity mid-incident, prompting an investigation. Although data compromise was not immediately confirmed, Shields Healthcare Group’s activation of incident response protocols and cooperation with forensic experts helped contain the breach and inform affected parties about potential risks.

Broward Health suffered a breach in January 2022 through a compromised third-party medical provider. The root cause was linked to the provider’s failure to implement multi-factor authentication (MFA). In response, Broward Health and its vendor implemented MFA across all endpoints and strengthened privileged access management, illustrating how effective breach responses include not only incident containment but also proactive security enhancements to prevent recurrence.

Is it safe to continue using breached services? 

The above mentioned Healthcare (Basel) study revealed that healthcare data breaches are predominantly caused by hacking and IT incidents. Given this high risk, covered entities must carefully assess the breached vendor’s remediation efforts, security posture, and compliance with HIPAA requirements before deciding to maintain or terminate the relationship.

Covered entities are responsible under HIPAA for ensuring that their business associates, like HIPAA compliant email software, implement adequate safeguards and respond appropriately to breaches. Failure to conduct due diligence or to sever ties with persistently non-compliant vendors can expose covered entities to substantial regulatory penalties and reputational damage.

Continuing to use breached services without enough assurance of improved security can jeopardize patient trust and care quality. Data breaches can disrupt hospital operations and negatively affect patient outcomes, such as increased mortality rates and delays in care delivery. The operational degradation stems partly from the diversion of resources to breach remediation and system recovery. 

FAQs

What due diligence policies and procedures should our organization have for evaluating business associates?

Your organization should have written policies, procedures, and checklists addressing risk categories.

What are common red flags to watch for during due diligence?

Red flags include exclusion from federal healthcare programs, lack of transparency, inability to provide documentation, vague references, inadequate staffing, or previous criminal/civil penalties.

What contractual elements are necessary in agreements with business associates?

Contracts must include a Business Associate Agreement (BAA) covering privacy/security standards, breach notification, compensation, audit rights, documentation requirements, and liability provisions.

How often should due diligence and contract reviews be conducted?

Due diligence is ongoing; annual risk assessments and contract reviews are recommended to ensure continued compliance and security.