Average cost of healthcare data breach rises to $7.1M, according to IBM report

A healthcare data breach comes with a hefty price tag—to the tune of $7.13 million on average.

That's up more than 10% from last year, when the average data breach cost healthcare organizations $6.45 million, according to IBM Security’s 2020 data breach cost report.

Healthcare organizations continue to have the highest costs associated with data breaches, according to the report, which looked at more than 500 data breaches that occurred last year across 17 industries.

Across all industries, data breaches cost companies $3.86 million per breach on average, or $1.49 per record.

The IBM study found that 80% of these incidents resulted in the exposure of customers' personally identifiable information (PII). Out of all types of data exposed in these breaches, customer PII was also the costliest to businesses.

As companies are increasingly accessing sensitive data via new remote work and cloud-based business operations, the report sheds light on the financial losses that organizations can suffer if this data is compromised.

The financial impact of a data breach incident is often felt for years, according to the IBM study.

Lost business costs accounted for nearly 40% of the average total cost of a data breach, increasing from $1.4 million in the 2019 study to $1.5 million in the 2020 study. Lost business costs included increased customer turnover, lost revenue due to system downtime and the increasing cost of acquiring new business due to diminished reputation.

Companies are paying a premium for compromised employee credentials, the report found.

RELATED: HHS cyberattack highlights how hackers are exploiting the pandemic. Here are 4 strategies to mitigate the risks

In incidents where attackers accessed corporate networks through the use of stolen or compromised credentials, businesses saw nearly $1 million higher data breach costs compared to the global average—reaching $4.8 million per data breach. Exploiting third-party vulnerabilities was the second costliest root cause of malicious breaches ($4.5 million).   

The study also found that the use of smart technology can slash breach costs in half. Companies that fully deployed security automation technologies, which leverage AI, analytics and automated orchestration to identify and respond to security events, experienced less than half the data breach costs compared to those who didn't have these tools deployed—$2.5 million vs. $6 million on average.

But healthcare companies have a low rate of adoption for these technologies. Only 23% of healthcare organizations have fully deployed security automation tools.

RELATED: UCSF pays hackers $1.1M to regain access to medical school servers

"When it comes to businesses' ability to mitigate the impact of a data breach, we're beginning to see a clear advantage held by companies that have invested in automated technologies," said Wendi Whitmore, vice president, IBM X-Force Threat Intelligence in a statement.

"At a time when businesses are expanding their digital footprint at an accelerated pace and the security industry's talent shortage persists, teams can be overwhelmed securing more devices, systems and data. Security automation can help resolve this burden, not only supporting a faster breach response but a more cost-efficient one as well," Whitmore said.

Healthcare companies also take longer to mitigate a data breach, the study found.

RELATED: Hacker arrested for 2014 UPMC data breach involving 65K employees

On average and across all industries, companies required 207 days to identify and 73 days to contain a breach in 2019, combining for an average “lifecycle” of 280 days.

The lifecycle of a breach averaged 329 days in the healthcare sector.

Within the healthcare industry, 50% of breaches were the result of a malicious attack, 27% of breach incidents were caused by human error, and 23% were caused by a system glitch. 

Here are five key findings from the report:

  • Remote work risk will have a cost: With hybrid work models creating less controlled environments, the report found that 70% of companies that adopted telework amid the pandemic expect it will exacerbate data breach costs.
  • CISOs faulted for breaches, despite limited decision-making power: Forty-six percent of respondents said the chief information security officer (CISO) is ultimately held responsible for the breach, despite only 27% stating the CISO/CSO is the security policy and technology decision-maker. The report found that appointing a CISO was associated with $145,000 cost savings versus the average cost of a breach.
  • Majority of cyber insured businesses use claims for third party fees: Oganizations with cyber insurance spent on average nearly $200,000 less to address data breaches than the global average of $3.86 million. In fact, of these organizations that used their cyber insurance, 51% applied it to cover third-party consulting fees and legal services, while 36% of organizations used it for victim restitution costs. Only 10% used claims to cover the cost of ransomware or extortion.
  • Mega breach costs soar by the millions: Breaches wherein over 50 million records were compromised saw costs jump to $392 million from $388 million the previous year. Breaches where 40 to 50 million records were exposed cost studied companies $364 million on average, a cost increase of $19 million compared to the 2019 report.
  • Nation state attacks—the most damaging breaches: Data breaches believed to originate from nation state attacks were the costliest, compared to other threat actors examined in the report. State-sponsored attacks averaged $4.4 million in data breach costs, surpassing both financially motivated cybercriminals and hacktivists.