Last week’s data breach at Community Health Systems, in which data from 5.4 million patients was lost, could end up costing the health system between $75 million and $150 million, according to Forbes digital health columnist Dan Munro.

The CHS hackers, now known as APT 18, used the computer bug Heartbleed to access VPN log-in credentials, experts have told VentureBeat.

Related: The Chinese government has a clear motive to steal U.S. health data

CHS said in a filing that no clinical data was taken in the theft but that Social Security numbers (the holy grail for identity thieves) were lost, along with an array of personal information that included patient names, addresses and phone numbers.

All of that information is covered by HIPAA privacy laws. And this comes just a few months after an attorney for the Office for Civil Rights (the Health and Human Services office charged with monitoring HIPAA compliance) said that the agency would be more aggressive this year about cracking down on privacy violations.

A group in Alabama has already filed a class action lawsuit against CHS. The Southern state is one of the 29 with CHS hospitals.

Fierce Health points out that the OCR has levied nine fines totaling more than $10 million since June 1, 2013. That includes a record $4.8 million fine announced in May against New York-Presbyterian Hospital and Columbia University.

Munro bases his cost estimate of the CHS breach on the following factors:

  1. Remediation (technical, legal and administrative)
  2. OCR fines associated with HIPAA violations
  3. Identity theft protection or credit monitoring for patients
  4. Defending against both patient and shareholder lawsuits and settlements
  5. The incalculable cost of potential insurance fraud stemming from 4.5 million exposed Social Security numbers

Two years ago, Blue Cross Blue Shield of Tennessee lost about a million records and incurred losses of an estimated $17 million as a result.

Part of that was a $7 million bill for improved security systems. CHS, security experts point out, used a lot of open-source or free security, and it could have to invest millions to upgrade to more sophisticated systems.

Get more stories like this on TwitterFacebook