From ADA News:
Modern Healthcare reported HHS said last week that it “collected a record $28.7 million from healthcare providers and insurers in 2018 for inadequate responses to data breaches.” This figure exceeds the total of $23.5 million for 2017. Office for Civil Rights Director Roger Severino said, “Our record year underscores the need for covered entities to be proactive about data security if they want to avoid being on the wrong end of an enforcement action.”
HHS has aggressively moved from warning violators to punishing them. Punishing them severely. A typical fine is $200 per exposed record. If you have 3000 patient records on your server and it is compromised you could face a fine of $600,000. None of which will be paid by insurance.
The largest area of reported data breaches is theft. Not theft of data theft of hardware. The number one safeguard you need to implement is encryption of all your patient data.