The HIPAA Guide - Celebrating Over 15 Years Online

Data Breach Costs Increase by 10% to $4.9 Million

July 31, 2024HIPAA News Today: Breaches, Violations, and Fines0

The average cost of a data breach has risen by 10% since 2023 to $4.88 million, the highest annual rise since the pandemic, according to the IBM 2024 Cost of a Data Breach Report. Various factors have contributed to the increase, including increasingly disruptive attacks that have extended the average recovery time to more than 100 days for most breached organizations, although only 12% of surveyed companies said they have been able to fully recover from a breach.

Other factors that have played a part in the 10% increase are rising costs of operational disruption, lost business, post-breach customer support, and third-party response costs. These costs are increasingly difficult for organizations to absorb and are being passed on to customers. In 2023, 57% of breached organizations said they had passed on costs to customers, compared to 70% in 2024.

For many years, one of the main problems for businesses has been the lack of cybersecurity staff and increasing pressure on existing staff due to more disruptive attacks. This year, there was a 26% increase in the number of organizations that said they faced severe staff shortages, and the skills gap is having a major impact on breach costs. On average, IBM found that organizations with a severe skills gap were paying an average of $1.76 million more in breach costs than those that had low-level or no security staff issues.

One of the ways that organizations have responded to the skills shortage is by using security AI and automation in their security operations centers. These tools have allowed them to improve productivity and efficiency. When AI and automation were extensively used across prevention workflows, organizations were able to shave an average of $2.2 million off their data breach costs. AI and automation resulted in the biggest breach cost savings identified in the report. Also important for reducing breach costs were staff training, Security Information and Event Management (SIEM), incident response planning, encryption, and threat intelligence.

IBM reports that the average data breach lifecycle – from the attack to full recovery – has fallen to a 7-year low of 258 days, which indicates that AI and automation are helping organizations recover more quickly and a faster recovery helps to keep breach costs down. Defenders are also getting better at detecting breaches, with 42% of breaches detected by the organization’s security team compared to 33% in 2023. When data breaches are detected internally, recovery time is 61 days shorter on average. Internally detected breaches cost around $1 million less than breaches disclosed by the attacker.

For this year’s report, IBM looked at the issue of data visibility gaps. Shadow data – data stored in unmanaged locations – is a growing problem. When data is stored across multiple environments it is more difficult to safeguard, and data stored in multiple locations such as the public cloud, private cloud, and on-premises was involved in 40% of data breaches. On average, these data breaches were far costlier at more than $5 million per breach compared to data stored in a single environment. These incidents also took longer to identify and contain (283 days).

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Download Free Checklist

As has been the case since 2021, the most expensive breaches were in healthcare. Healthcare data breaches cost an average of $9.77 million, although that is a 10.6% reduction in costs from $10.93 million in 2023. The costliest breaches were caused by malicious insiders, with average costs of $4.99 million. Business email compromise and phishing attacks were also costly at $4.88 million. The most common cause of a data breach was compromised credentials, which cost an average of $4.81 million and took the longest to identify and contain (292 days).

One of the biggest cost savings was working with law enforcement. Organizations that reported incidents to law enforcement quickly were able to save an average of $1 million on breach costs, not including any ransom paid. Further, 63% of organizations that worked with law enforcement were able to avoid paying the ransom, resulting in even further savings. Law enforcement involvement also shortened the time to identify and contain a breach from 29 days to 281 days.

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/

The HIPAA Guide is a registered trademark. Copyright © 2007-2026 The HIPAA Guide. All rights reserved.