Healthcare sector leads in costs for data breaches, study finds
- Data breaches can cost companies millions in lost business, recovery efforts and reputation loss. In 2018, the average cost globally of a data breach is $3.86 million, up 6.4% from the previous year and nearly 10% from 2014, according to new analysis conducted for IBM Security by Ponemon Institute.
- For the eighth year straight, healthcare organizations had the highest breach-related costs of any industry at $408 per lost or stolen record — nearly three times the cross-industry average of $148.
- For mega breaches — those involving between 1 million and 50 million records — the cost to organizations can run as high as $40 million to $350 million. The global 2018 Cost of a Data Breach Study is based on interviews with 500 companies that experienced data breaches.
Healthcare organizations, with their rich stash of electronic patient medical records and other personal data, are a prime target for cyberattacks. In January alone, a ransomware attack froze computers at Greenfield, Indiana-based Hancock Health and West Virginia-based Coplin Health Systems reported a stolen laptop may have compromised 43,000 patients’ records.
Then, in February, Partners HealthCare notified 2,600 patients that their personal information was at risk after an unauthorized third party introduced malware into its IT system.
And just last month, HHS’ Office for Civil Rights slapped the University of Texas MD Anderson Cancer Center with a $4.3 million HIPAA fine following an investigation into three data breaches affecting more than 33,500 patients.
Despite the costs and ongoing threat, a Black Book Market Research survey found eight in 10 hospitals and health systems lack a C-suite leader to manage cybersecurity enterprise-wide.
Of 11 companies that experienced mega breaches in the past two years, 10 were due to malware or cybercriminal attacks rather than human error or system flaws, the report notes. The average time to detect and contain a mega breach was 365 days, compared with 266 days for smaller breaches.
The biggest toll with mega breaches was lost business, which rang in at about $118 million for breaches affecting 50 million records.
For organizations trying to contain their losses in the event of a breach, having an incident response team was the number one cost saver — trimming the price tag by $14 per lost or stolen record. Having an AI platform for cybersecurity also cut costs, by $8 per record.
The report found that organizations that use security automation tools to identify and contain data breaches were able to cut their losses from a breach by more than $1.5 million — reducing total costs to $2.88 million versus $4.43 million for those without automated security technologies.
“The goal of our research is to demonstrate the value of good data protection practices, and the factors that make a tangible difference in what a company pays to resolve a data breach,” Larry Ponemon, chairman and founder of Ponemon Institute, said in a statement. “While data breach costs have been rising steadily over the history of the study, we see positive signs of cost savings through the use of newer technologies as well as proper planning for incident response, which can significantly reduce these costs.”
U.S. companies had the highest costs associated with breaches, averaging $7.91 million — much of that due to lost business. The report cites a recent IBM/Harris poll showing 75% of U.S. consumers won’t do business with a company they don’t trust to protect their personal data.