2019 Data Breach Cost Study Shows Skyrocketing U.S. Healthcare Data Breach Costs

The 2019 Cost of a Data Breach Report of Ponemon Institute/IBM Security has been published. It is a detailed study of the reported data breaches in 2018. It revealed the continuous increase of data breach costs and noted the most expensive breaches that healthcare organizations experienced in the past 9 years.

$3.92 Million Average of Data Breach Costs

In the last five years, there was a 12% increase in the average cost of a data breach, which is $3.92 million. The average breach size now is 25,575 records while the average cost per breached record is $150. It was $148 last year.

The global healthcare market has reported the highest breach costs, which is 65% higher than other industry sectors. The average mitigation cost of a breach is $6.45 million.

United States reported the highest data breach cost of $8.19 million, which translates to $242 mitigation cost per record. The average healthcare data breach cost in the U.S. is $15 million.

$429 Data Breach Cost per Record

The average breach cost per record in the healthcare industry increased by 5.15% – $429 from $408 last year. The financial sector reported the second highest breach costs averaging $210 per record.

Luckily, mega data breaches rarely occur, but when they do, the costs can skyrocket. Mega data breaches refer to breaches involving over 1 million records. IBM estimated a loss of $42 million in case of a data breach of 1 million records. Losses will be as high as $388 million in case of a breach of 50 million records. The latest data breach at American Medical Collection Agency, which impacted 18 healthcare organizations and 25 million people, is almost half that size.

Cybercrime gives big bucks to cybercriminals and sadly big losses for businesses. Organizations faced losses or theft of more than 11.7 billion records during the last 3 years alone. Businesses must realize the full financial impact of a data breach and aim to reduce these costs.

The Ponemon Institute performed the survey on 507 companies that have encountered a data breach last year. There were 3,211 interviews conducted with persons who had information about the breach. An activity-based costing (ABC) method was used to determine breach costs. This method specifies activities and its cost based on actual use.

The Long-term Impact of A Data Breach

In the survey, IBM analyzed the financial impact of a data breach and saw that effects could be felt for years. Most of the breach costs are broken down as follows: 67% on the first year, 22% on the second year, and 11% after the second year. In highly controlled industries like healthcare, it is expected to have higher longtail costs.

For most businesses, the greatest cost is the loss of business after the occurrence of a data breach. It has been the biggest breach cost in the last 5 years, averaging $1.42 million or 36% of the total cost of the breach. On average, there is a 3.9% loss of customers right after a data breach. But the figure is larger for healthcare providers who have difficulty retaining patients after a data breach.

Several factors affect the cost of breaches like the nature of the breach and the size of the organization. The average data breach cost at an SMB having less than 500 workers is $2.5 million or 5% of yearly revenue. With such debilitating costs, it is understandable why SMBs fail to thrive in 6 months after a data breach.

The most expensive breaches are malicious attacks (51%). Companies spennd 25% more on malicious attacks compared to breaches due to insider or system errors. Malicious attacks are now more frequent, registering a 21% increase from 2014 to 2019.

The study found a few factors that lower the cost of a breach. The most important is having an incident response (IR) team and an IR plan. Thoroughly testing that plan reduces breach costs by $1.23 million on average.

A quick breach response also significantly reduces the cost of a breach. The average time to discover a breach is 279 days. Identifying and resolving a breach within 200 days reduce costs by $1.2 million on average.

About Christine Garcia 1185 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA