If anyone has had to have medical tests done in the United States, you most likely came in contact with LabCorp or Quest Diagnostics. These two companies represent the major players in the medical blood testing space. And many of you may have recently heard about the data breach that exposed the personal information of nearly 20 million Americans. What you may not realize, is this wasn't the fault of LabCorp or Quest Diagnostics. It was the result of the medical billing provider, RMCB/AMCA. Like many of your companies, this billing provider was a small business.
We often try to warn people about the cost of a data breach. This post hopes to show the numbers behind the attacks and the effects it has. In this case, it led to a bankruptcy filing.
The damage done by a data breach is often based on the duration of the breach. In the case of Marriott, it went on for four years. However, in the case of RMCB/AMCA it went on for 8 months.
The raw costs add up quick. In most states when data is exposed you have to communicate that to your clients in the form of a written letter. If you are a small business and/or deal in a lot of transactional sales, the number of your clients really adds up, even if the dollars are relatively small, not to mention the profit. So, what was the cost of the notification letter in this case? The number of letters mailed were 7 million, costing the company $3.8 million.
Once RMCB/AMCA made the breach public, both LabCorp and Quest stopped sending any more work to them, according to the bankruptcy filing. Bloomberg reports that the data breach created a “cascade of events,” which incurred “enormous expenses that were beyond the ability of the debtor to bear.”
The CEO personally lent the company $2.5 million help pay the expenses. The IT professionals involved billed more than $400,000 at the time of the filing.
There are currently 3 class action lawsuits pending against RMCB in New York and California.
No matter how you look at it, the costs are not nearly over and the expenses will continue to pile up. Putting in proper security controls, appointing someone inside the organization to be responsible for security, purchasing the necessary detection tools, and training the employees is the only way to prevent a situation like this.
When we speak about the cost of a data breach, we are trying to scare you. Because it is devastating what happens to healthy businesses.