One of the other large costs associated with a HIPAA breach is the notification cost. Once a breach has occurred, the healthcare organization must notify any affected patients. In most cases, the organization also provides additional services to those patients such as identity theft monitoring. HIPAA requires all patients to be notified within 60 days of a breach. If the breach affected more than 500 people, the healthcare organization must also notify HHS and the local media.

The Ponemon Institute estimates that HIPAA breach notification will cost a healthcare organization approximately $560,000 but that figure only grows depending on the size of the breach. For example: Anthem Inc. experienced a massive data breach in February 2015 that affected almost 80 million patients. It’s been reported that Anthem spent $40 million just to pay for the first-class mail to notify patients that their records had been stolen. In the months following the breach, it was also reported that Anthem would spend more than $100 million for both notifying patients and providing free identity theft monitoring.