Healthcare Data Breach Costs Now $408 Per Record

The Ponemon Institute has conducted its annual Cost of a Data Breach Study on behalf of IBM Security, which has revealed the rising costs of mitigating data breaches. This year, the report also details the cost of ‘mega’ data breaches – Those that saw more than 1 million records exposed or stolen. 477 organizations and 2,200 employees participated in the study. The costs of mitigating breaches were computed using the ABC (activity-based costing) method.

The average cost of mitigating data breaches was $3.62 million last year. This year, the average cost of a data breach has increased to $3.86 million – a 6.4% year-over-year rise in breach costs. The per capita cost of a data breach has risen from $141 in 2017 to $148 in 2018 – a 4.8% increase.

The average cost of a data breach is $7.91 million in the United States, although costs vary significantly by industry sector. The healthcare industry has the highest data breach resolution costs at an average of $408 per record. Next comes the financial services industry where breaches cost an average of $206 per record. The public sector has the lowest per capita costs at $75 per record.

Cyberattacks by criminals and malicious insiders result in the highest resolution costs at $157 per record. System glitches result in an average cost of $131 per record, while breaches due to human error have a resolution cost of $128 per record.

The average time to identify a breach is 197 days and the mean time to contain a breach is 69 days. When a breach is experienced, there is a 27.9% probability of another breach being experienced in the following two years.

The Ponemon Institute and IBM Security studied the costs of mitigating mega data breaches and found that these breaches cost an average of $40 million, while a breach that resulted to the theft/exposure of 50 million records cost an average of $350 million to resolve. There were twice the number of mega breaches in 2017 as in 2013 – 16 vs. 9. These mega breaches take an average of 365 days to detect and contain, compared to 266 days for small data breaches. Loss of customers is the biggest cost of mega data breaches. The loss of business from a 50-million record breach would see a healthcare company lose around $118 million in revenue.