Healthcare provider Franciscan St. Francis Health is wading through the fallout after its medical information management contractor Medical Informatics Engineering (MIE) suffered a massive data breach. According to the Daily Journal, the May 2015 breach affected…
- 200 providers across the country.
- 3.9 million patients.
The report states the breach exposed patient records, addresses, phone numbers, Social Security numbers, health insurance details, and birth dates – i.e., the key ingredients for stealing identities, which is why medical records are so lucrative on the black market. You can read more about that in "Healthcare Businesses Beware: Medical Data Worth 10× as Much as Credit Card Numbers."
Franciscan St. Francis Health is just one of many breached providers, but its data breach response is noteworthy because it's basically a blueprint for what not to do after a hack. Let's take a look at some botched data breach response tactics that you should only follow if you want to lose all hope of retaining your customers.
1. Don't Communicate Clearly with Affected Parties
On top of being worried about having their identities stolen, the Franciscan St. Francis Health breach victims are struggling to get useful information from the medical provider. The healthcare facility sent notification letters in late July, but the notices failed to convey any real information about the breach or the data that had been exposed, the Daily Journal reports. Many affected residents didn't even know who to contact about the incident.
For the customers that did locate the question hotline, long wait times and disconnected calls only stoked their frustration. The medical provider set up its own 24-hour hotline to manage the influx of calls from confused victims, but the measure may be too little, too late. Once victims get their answers, they may not trust Franciscan St. Francis Health with their business again because its response was so haphazard and delayed.
According to a survey by Intelligent Defense…
- Almost 50 percent of consumers say a company can't do anything to win back their trust if it loses their personal data.
- 35 percent state they would stop giving their business to that company altogether.
Even if Franciscan St. Francis Health played all its cards right after the breach, it would still be fighting an uphill battle to keep its customers. Failing to communicate only makes it more likely that customers will go elsewhere. To learn more about customer attitudes on cyber security, read "Uh-Oh: Customers Don't Trust Businesses When it Comes to Data Security."
2. Keep Breach Victims Waiting
The Daily Journal notes that when affected parties heard the MIE data breach happened on May 26, many were astounded that it took until July 27 to start receiving notification letters about the incident from Franciscan St. Francis Health. There are two sides here:
- From a business standpoint, it makes sense to wait to notify the public until the breach details are sorted out.
- From a customer service standpoint, few things make a customer more exasperated than a long wait.
Most states have data breach laws requiring that affected residents be notified in a semi-expedient fashion (on average, about 30 to 45 days after the breach is discovered – more on that in "Reminder: It's Your Job to Keep Customer Data Safe"). That means if you drag your feet on sending out the letters, you could face regulatory fines on top of potentially losing customers.
3. Don't Carry Cyber Liability Insurance
It's already hard enough to repair your business's reputation if a data breach exposes customer information. Don't make it more difficult by not having a data breach response plan in place. Part of that plan may include carrying Cyber Liability Insurance (aka Cyber Risk Insurance or Data Breach Insurance).
This policy may help pay for:
- Notifying affected parties.
- Investigating the cause of the breach.
- Providing credit-monitoring services.
- Creating good-faith advertising to repair your business's reputation.
Cyber Liability Insurance can offer the means to help your business wrangle the serious expenses that follow a breach, but it isn't a replacement for communicating with your customers. Always err on the side of caution by contacting customers as quickly as you can, clearly explaining who they should call with questions, and outlining what you are doing to minimize their exposure.