Healthcare data breaches cost an average $6.5M: report

A healthcare data breach comes with a hefty price tag—to the tune of $6.45 million on average.

Healthcare organizations continue to have the highest costs associated with data breaches, more than 60% higher than the cross-industry average, according to IBM Security’s 2019 data breach cost report.

The global survey, conducted by the Ponemon Institute and IBM Security, included in-depth interviews with nearly 500 companies across 17 sectors that experienced a breach. The costs include breach detection, notifying affected individuals, post-breach response and lost business due to downtime, reputational damage and impact to consumer trust.  

Healthcare companies pay $429 per lost or stolen record on average. That's nearly three times higher than the cross-industry average of around $150 per lost or stolen record

For healthcare organizations, the total cost of a breach and the cost per record has risen 5% and 3.5%, respectively, over the last year.

RELATED: Amazon executive: IT experts 'should be embarrassed' about data breaches

Across all industries, data breach costs are on the rise, and the financial impact is often felt for years, according to the report.

The cost of a data breach has risen 12% over the past five years and now costs $3.92 million across all industries on average. These rising expenses are representative of the multiyear financial impact of breaches, increased regulation and the complex process of resolving criminal attacks, the report said.

RELATED: Health IT Roundup—Healthcare breach costs outpace all other industries; Digital health funding hits $4.9B globally

Data breaches in the U.S. are vastly more expensive—costing $8.19 million, or more than double the average for worldwide companies in the study. Costs for data breaches in the U.S. increased by 130% over the past 14 years of the study, up from $3.54 million in 2006.

The financial consequences of a data breach can be particularly acute for small and midsize businesses. In the study, companies with less than 500 employees suffered losses of more than $2.5 million on average, or 5% of annual revenue for businesses that typically earn $50 million or less a year.

Companies in highly regulated environments like healthcare also felt more long-tail costs from data breaches. About 67% of data breach costs were realized within the first year after a breach, with 22% of costs accrued in the second year and another 11% accumulated more than two years after a breach. The long-tail costs were higher in the second and third years for healthcare organizations.

RELATED: Quest, LabCorp data breach highlights cyber risk from vendors: Moody's

“Cybercrime represents big money for cybercriminals, and unfortunately that equates to significant losses for businesses,” Wendi Whitmore, global lead for IBM X-Force Incident Response and Intelligence Services, said in a statement. “With organizations facing the loss or theft of over 11.7 billion records in the past 3 years alone, companies need to be aware of the full financial impact that a data breach can have on their bottom line and focus on how they can reduce these costs.”

Here are six key findings from the report:

  • Malicious breaches are the most common and most expensive: Malicious data breaches cost companies $4.45 million on average, over $1 million more than those originating from accidental causes such as system glitch and human error. Over 50% of data breaches resulted from malicious cyberattacks, and that percentage has increased 21% over the past six years.
     
  • “Mega breaches” lead to mega losses: While less common, breaches of more than 1 million records cost companies a projected $42 million in losses, and those of 50 million records are projected to cost companies $388 million.
     
  • Being prepared can save money: Companies with an incident response team that also extensively tested their incident response plan experienced $1.23 million less in data breach costs on average than those that had neither measure in place.
     
  • System glitches pose big cybersecurity risks: Data breaches as the result of human error and system glitches cost companies $3.5 million and $3.24 million, respectively. One particular area of concern is the misconfiguration of cloud servers, which contributed to the exposure of 990 million records in 2018, representing 43% of all lost records for the year.
     
  • Speed and efficiency impact overall cost: It took the healthcare industry an average of 236 days to identify a breach and 83 days on average to contain a breach—almost two months longer than the average across other industries. Companies in the study that were able to detect and contain a breach in less than 200 days spent $1.2 million less on the total cost of a breach.
     
  • Security automation can reduce breach costs: Companies who had fully deployed security automation technologies experienced around half the cost of a breach ($2.65 million average) compared to those did not have these technologies deployed ($5.16 million average). Only 15% of healthcare organizations have fully deployed security automation tools.