Healthcare tops all industries when it comes to money lost in data breaches: report

Data breaches hurt all industries, but this is especially true for healthcare, which has lost the most financially to these incidents, according to a new report.

Healthcare losses because of data breaches between 2022 and 2023 increased 8.2%, from $10.1 million to $10.9 million. In the past three years, the average cost of a data breach in healthcare grew 53.3%, the report (PDF), which was conducted by the Ponemon Institute and published by IBM Security, found.

Data for the report were collected in over 3,475 interviews at 553 organizations that suffered a data breach between March 2022 and March 2023. In 2022, the top five industries to have lost money from data breaches were healthcare at $10.10 million, financial services at $5.97 million, pharmaceuticals at $5.01 million, technology at $4.97 million and energy at $4.72 million.

It’s a slightly different look than the top five industries that lost money because of data breaches so far in 2023: healthcare at $10.93 million, financial services at $5.90 million, pharmaceuticals at $4.82 million, energy at $4.78 million and industrial at $4.73 million.

“Healthcare faces high levels of industry regulation and is considered critical infrastructure by the U.S. government,” the report said. “Since the start of the COVID-19 pandemic, the industry has seen notably higher average data breach costs.”

Earlier this month, HCA Healthcare disclosed that hackers stole personal information, including patient names and dates of birth, and posted it online. The health system, which treats 11 million patients, said that its investigation was ongoing.

The data breaches for all industries were most often discovered by a benign third party; the analysis found this occurred in 40% of cases. Internal teams and/or tools identified 33% of breaches. However, 27% of breaches were disclosed by the attacker as part of a ransomware attack.

Perpetrators of ransomware attacks warn the victims not to involve law enforcement, and 37% of victims complied with this demand. But the report indicated that involving law enforcement in fact saves on time and costs. The average cost of a ransomware breach was $5.11 million when law enforcement wasn’t involved, but $4.64 million when it was, a difference of 9.6%.

In addition, involving law enforcement meant that it took 33 days less time to identify and contain a ransomware breach: 273 days compared to 306 days. The mean time to contain a ransomware attack when law enforcement was involved was 63 days, as compared to the 80 days it took to do the same thing without law enforcement involvement.

An automated response playbook outlines the steps needed to be taken by a company’s security team in response to data breaches.

“Automated response playbooks or workflows cut down the time to contain a ransomware breach,” the report said. “Among organizations that experienced a ransomware attack, those that had automated response playbooks or workflows designed specifically for ransomware attacks were able to contain them in 68 days or 16% fewer days compared to the average of 80 days for organizations without automated response playbooks or workflows.”