While a lot of breach education is focused on OCR settlements, class action lawsuits are a little less consistent - but no less expensive. It is reported that Community Health System is settling their 2014 ePHI breach with affected patients for $4.5M. To be clear, this is NOT part of an OCR settlement.
A judge is working to approve a settlement where patients that can demonstrate that they paid expenses related the breach or lost time working to secure accounts can claim up to $250. Patients that suffered identity theft or fraud are entitled to up to $5K in damages.
The failure to maintain a compliant and secure program is much more expensive than dedicating resources required to prevent a breach. Count on an individual or class action litigation after a breach occurs, complete with a truckload of legal fees defending the lawsuit(s).