The headlines about health care data breaches are relentless.

The personal information of more than 8,000 patients was breached when a community health clinic’s vendor published the information on their website. A Texas health system informed 277,000 patients of a breach involving decades-old microfiche medical records that were slated for destruction, but were instead found intact in a public dumpster in a park.

These Texas experiences are not unlike those in other states. Security experts have long predicted that the digitization of medical records would invite hackers. And now there is a new study by the Poneman Institute that found that health care data breaches cost far more than security breaches sustained in other industries. According to the study:

  • Nearly 90 percent of all health care organizations suffered at least one data breach in the past two years.
  • The average cost of a lost or stolen health record was $402, more than 80 percent higher than the average cost across all U.S. industries.
  • The average cost per breach for the health care industry was $2.2 million.
  • Total data breach costs for the health care industry are estimated to be $6.2 billion.
  • Cybercrime-based attacks continue to be the No. 1 cause of breaches.

In addition to the expensive crisis measures that are required by law when there is a data breach, federal fines can be quick to follow. A New York hospital received a $4.8 million HIPAA fine in 2014 as a result of protected health information of its patients being accessible online. A California hospital also paid a $4 million HIPAA fine for medical records being posted online. A $3 million HIPAA fine was assessed against a Florida health insurer when more than 1 million patient records were compromised following the theft of two unencrypted laptops.

The constant onslaught of attacks is enough to cause health care administrators to either lose sleep or to redouble their efforts to secure the data in their possession. Saving money on IT security is no longer an option.

That is why hospitals and other health care providers who cannot afford the risk are taking steps to help build a wall against cyber attacks. SECURETexas is the first state program of its kind in the country offering privacy and security certifications for past compliance with state and federal laws.

The program, managed by the Texas Health Services Authority (THSA) in conjunction with industry collaborative Health Information Trust Alliance (HITRUST), offers individuals and entities involved in the use of electronic health records an affordable and officially sanctioned process to ensure they have in place recognized protections for their patients’ health information.

The many benefits of certification include:

  • It can serve as a mitigating factor for any civil or administrative penalties at the time of an alleged violation of the Texas Medical Records Privacy Act.
  • It can serve as objective third-party evidence of your entity’s history of prior compliance with HIPAA administrative provisions, which must be considered as a factor in determining civil money penalties by the HHS Office for Civil Rights.
  • A scorecard provided by HITRUST will streamline any audit or review brought forth by state or federal oversight agencies, thus allowing your organization more time to concentrate on what matters most — patient care.

Importantly, a single SECURETexas fee can offset the costs an organization may be paying to multiple attorneys and consultants to assess compliance with state and federal requirements. Pricing varies based on size of medical facility, ensuring affordability and accessibility.

For more information on SECURETexas certification, contact George Gooch at or visit

SECURETexas: Enabling the Privacy and Security of Texans’ Health Information