Report: For 9th Straight Year, Healthcare Organizations Hit Hardest by Data Breaches

July 23, 2019
Healthcare organizations also take more time than any other sector to identify and contain a breach

For the ninth year in a row, healthcare organizations had the highest cost of a data breach—nearly $6.5 million on average—according to the annual “Cost of a Data Breach Report” from IBM Security and the Ponemon Institute.

The annual report put out by the two companies examines the financial impact of data breaches on organizations. According to the report, the cost of a data breach has risen 12 percent over the past five years, and now costs $3.92 million on average. These rising expenses are representative of the multiyear financial impact of breaches, increased regulation and the complex process of resolving criminal attacks, the study’s authors concluded.

And for small and midsize businesses, the financial consequences of a data breach can be particularly severe. In the study, companies with less than 500 employees suffered losses of more than $2.5 million on average, which for businesses this size that typically earn $50 million or less in annual revenue, can be especially crippling.

For the first time this year, the report also examined the long tail financial impact of a data breach, finding that the effects of a data breach are felt for years. While an average of 67 percent of data breach costs were realized within the first year after a breach, 22 percent accrued in the second year and another 11 percent accumulated more than two years after a breach. The long tail costs were higher in the second and third years for organizations in highly-regulated environments, such as healthcare, financial services, energy and pharmaceuticals.

More specific to healthcare, not only did this industry’s organizations have the average highest cost of a breach, but that $6.5 million figure was nearly 65 percent more than other industries in the study. As such, data breaches cost healthcare companies $429 per lost or stolen record on average, which is almost three times higher than the cross-industry average which is $150 per lost/stolen record.

What’s more, organizations in the healthcare and public sector take the most time in the data breach lifecycle—defined as the time it takes to identify and contain a breach—329 days and 324 days, respectively. Financial organizations, for comparison, take far less time to identify and contain a data breach (233 days).

Sponsored by IBM Security and conducted by the Ponemon Institute, the report is based on in-depth interviews with more than 500 companies around the world that suffered a breach over the past year. The analysis also takes into account hundreds of cost factors including legal, regulatory and technical activities to loss of brand equity, customers, and employee productivity.

Some of the other top findings from this year's report include:

  • Over 50 percent of data breaches in the study resulted from malicious cyberattacks and cost companies $1 million more on average than those originating from accidental causes.
  • However, inadvertent breaches from human error and system glitches were still the cause for nearly half (49 percent) of the data breaches in the report, costing companies $3.50 and $3.24 million respectively.
  • While less common, breaches of more than 1 million records cost companies a projected $42 million in losses. And those of 50 million records are projected to cost companies $388 million.
  • The average cost of a breach in the U.S. is $8.19 million, more than double the worldwide average.
  • Companies with an incident response team that also extensively tested their incident response plan experienced $1.23 million less in data breach costs on average than those that had neither measure in place.

"Cybercrime represents big money for cybercriminals, and unfortunately that equates to significant losses for businesses," Wendi Whitmore, global lead for IBM X-Force Incident Response and Intelligence Services, said in a statement. "With organizations facing the loss or theft of over 11.7 billion records in the past three years alone, companies need to be aware of the full financial impact that a data breach can have on their bottom line –and focus on how they can reduce these costs."

Sponsored Recommendations

The Healthcare Provider's Guide to Accelerating Clinician Onboarding

Improve clinician satisfaction and productivity to enhance patient care

ASK THE EXPERT: ServiceNow’s Erin Smithouser on what C-suite healthcare executives need to know about artificial intelligence

Generative artificial intelligence, also known as GenAI, learns from vast amounts of existing data and large language models to help healthcare organizations improve hospital ...

TEST: Ask the Expert: Is Your Patients' Understanding Putting You at Risk?

Effective health literacy in healthcare is essential for ensuring informed consent, reducing medical malpractice risks, and enhancing patient-provider communication. Unfortunately...

From Strategy to Action: The Power of Enterprise Value-Based Care

Ever wonder why your meticulously planned value-based care model hasn't moved beyond the concept stage? You're not alone! Transition from theory to practice with enterprise value...