Report: For 9th Straight Year, Healthcare Organizations Hit Hardest by Data Breaches

July 23, 2019
Healthcare organizations also take more time than any other sector to identify and contain a breach

For the ninth year in a row, healthcare organizations had the highest cost of a data breach—nearly $6.5 million on average—according to the annual “Cost of a Data Breach Report” from IBM Security and the Ponemon Institute.

The annual report put out by the two companies examines the financial impact of data breaches on organizations. According to the report, the cost of a data breach has risen 12 percent over the past five years, and now costs $3.92 million on average. These rising expenses are representative of the multiyear financial impact of breaches, increased regulation and the complex process of resolving criminal attacks, the study’s authors concluded.

And for small and midsize businesses, the financial consequences of a data breach can be particularly severe. In the study, companies with less than 500 employees suffered losses of more than $2.5 million on average, which for businesses this size that typically earn $50 million or less in annual revenue, can be especially crippling.

For the first time this year, the report also examined the long tail financial impact of a data breach, finding that the effects of a data breach are felt for years. While an average of 67 percent of data breach costs were realized within the first year after a breach, 22 percent accrued in the second year and another 11 percent accumulated more than two years after a breach. The long tail costs were higher in the second and third years for organizations in highly-regulated environments, such as healthcare, financial services, energy and pharmaceuticals.

More specific to healthcare, not only did this industry’s organizations have the average highest cost of a breach, but that $6.5 million figure was nearly 65 percent more than other industries in the study. As such, data breaches cost healthcare companies $429 per lost or stolen record on average, which is almost three times higher than the cross-industry average which is $150 per lost/stolen record.

What’s more, organizations in the healthcare and public sector take the most time in the data breach lifecycle—defined as the time it takes to identify and contain a breach—329 days and 324 days, respectively. Financial organizations, for comparison, take far less time to identify and contain a data breach (233 days).

Sponsored by IBM Security and conducted by the Ponemon Institute, the report is based on in-depth interviews with more than 500 companies around the world that suffered a breach over the past year. The analysis also takes into account hundreds of cost factors including legal, regulatory and technical activities to loss of brand equity, customers, and employee productivity.

Some of the other top findings from this year's report include:

  • Over 50 percent of data breaches in the study resulted from malicious cyberattacks and cost companies $1 million more on average than those originating from accidental causes.
  • However, inadvertent breaches from human error and system glitches were still the cause for nearly half (49 percent) of the data breaches in the report, costing companies $3.50 and $3.24 million respectively.
  • While less common, breaches of more than 1 million records cost companies a projected $42 million in losses. And those of 50 million records are projected to cost companies $388 million.
  • The average cost of a breach in the U.S. is $8.19 million, more than double the worldwide average.
  • Companies with an incident response team that also extensively tested their incident response plan experienced $1.23 million less in data breach costs on average than those that had neither measure in place.

"Cybercrime represents big money for cybercriminals, and unfortunately that equates to significant losses for businesses," Wendi Whitmore, global lead for IBM X-Force Incident Response and Intelligence Services, said in a statement. "With organizations facing the loss or theft of over 11.7 billion records in the past three years alone, companies need to be aware of the full financial impact that a data breach can have on their bottom line –and focus on how they can reduce these costs."

Sponsored Recommendations

Care Access Made Easy: A Guide to Digital Self Service

Embracing digital transformation in healthcare is crucial, and there is no one-size-fits-all strategy. Consider adopting a crawl, walk, run approach to digital projects, enabling...

Powering a Digital Front Door with a Comprehensive Provider Directory

Learn how Geisinger improved provider data accuracy, SEO, and patient acquisition with a comprehensive provider directory.

Data-driven, physician-focused approach to CDI improvement

Organizational profile Sisters of Charity of Leavenworth (SCL) Health* has been providing care since it originated in the 1600s in France as the Daughters of Charity. These religious...

Luminis Health improved quality and financial outcomes with advanced CDI technology and consulting from 3M

In the beginning, there were challengesBefore partnering with 3M Health Information Systems (HIS), Luminis Health’s clinical documentation integrity (CDI) program faced ...