Our recent posts have been sections of a data breach report that we are preparing. Its purpose is to gain insight into the trends and implications of reported incidents over the last ten years. This is our fifth installment with a look at the financial cost of healthcare data breaches.

Data breaches are costly in every business sector worldwide, but when reviewing the information gathered in an IBM report, some figures stood out. The US is highest in the world for per capita breach costs ($233), and healthcare has the highest per capita cost of any industry worldwide ($408), doubling the second place, financial sector. While the numbers show healthcare far in the lead in costs, one thing to consider is that other countries and other industries have different reporting requirements. The US healthcare sector has a strict regulatory body that requires reporting data breaches, but other sectors, and other countries have different levels of oversight. In general, companies are incentivized to avoid reporting to prevent the added costs and public scrutiny that come with news of a breach. This can lead to skewed results when viewing data from the healthcare industry against other sectors.

Calculating the total cost of a breach can be a complex equation including the size of the breach, the estimated impacts on individuals and business, and the previous steps taken to prevent it in the first place. There is no reporting that we could find on the exact costs of any single data breach except for the HIPAA fines associated with them. There are various costs, direct and indirect, that can add up as an organization goes through the stages of a breach.

It is estimated that a breach will cost health entities $429 per lost or stolen record, a 5% increase from $408 in 2018. All of this adds up to an average of $8 million per incident for reported breaches. There were 13,020,821 individuals reported to be affected by breaches in 2018 (breaches under 500 individuals not included). Calculating the cost gives an idea of the scale:

A large share of the cost comes from HIPPA violations. Fines are applied based on the entity's "level of culpability" when a breach occurs. In 2019, the cap per year was reduced from $1.5 million for all tiers to graduated amounts as seen in the following chart.

The faster a breach is identified, the less it will cost. According to a study of breaches on multiple industries worldwide, the average time to identification and containment is 197 days and 69 days, respectively. They also found that breaches contained in less than 30 days saved $1 million over those who took more than 30 days. More time allows for more damage to be done, increasing both direct and indirect costs. With 82% of hospitals reporting breaches, data monitoring should be priority for healthcare IT departments.

How much needs to be invested in prevention to ensure a breach doesn't happen?. A study reports that healthcare spends 5% on cybersecurity with increasing in spending on prevention, while the financial sector spends 7.3%. But many of the healthcare breaches are caused by factors other than cybersecurity including accidental disclosure, internal actors, and hardware theft. We will look at the some of these causes and their impact in a future post.