- Healthcare continues to be the most expensive industry for data breaches, beating out other sectors for the 13th year in a row, according to research conducted by the Ponemon Institute and published by IBM Security.
- The average cost of a healthcare data breach reached nearly $11 million in 2023, an increase of 8% from last year and a 53% jump since 2020, the report found.
- Although the healthcare sector faces high levels of industry regulation, expenses accrued from data breaches in the sector were almost double compared to the financial industry, which saw the second-most expensive data breaches at $5.9 million.
The IBM report, which analyzed more than 550 organizations that experienced data breaches between March 2022 and 2023, found healthcare had “notably higher” average data breach costs since the COVID-19 pandemic.
The industry was left more vulnerable to attacks after the pandemic spurred a wave of burnout and staff shortages, according to a Moody’s report.
The number of healthcare data breaches has increased nearly every year since 2009, according to a Healthcare Dive analysis. Hacking incidents in particular have ballooned, as hospitals are profitable targets for ransomware, where criminals demand payment in exchange for returning access to critical data.
A ransomware attack against Chicago-based CommonSpirit Health late last year compromised protected health information of almost 624,000 patients, interrupted access to electronic health records and delayed care. In a May earnings report, the health system said losses due to the breach grew to more than $160 million.
The prevalence of hospital data breaches is leading to court battles. Baltimore-based Johns Hopkins Health System is currently facing a class action lawsuit after the system discovered a third-party breach this spring.
Costs are on the the rise for other critical infrastructure industries too, including financial services, the public sector, energy, transportation, education and communication.
Average data breach expenses were nearly 29% higher for critical infrastructure companies compared with other industries, and costs rose nearly 5% from 2022.
These industries were frequently targeted by ransomware last year, according to the FBI Internet Crime Complaint Center. But it can be difficult to gauge the number of ransomware incidents, as many aren’t reported to law enforcement.
That could be a mistake when it comes to cost, wrote researchers behind the IBM report. Organizations in the study that involved law enforcement saved $470,000 in average breach costs.
Still, 37% of victims in the report didn’t contact law enforcement.