Average Healthcare Data Breach Costs Surpass $10M, IBM Finds

July 27, 2022 - Healthcare data breaches cost an average of $10.1 million per incident last year, IBM Security found in the 2022 edition of its “Cost of a Data Breach Report.” The figure signified a 9.4 percent increase from the 2021 report and a 41.6 percent increase from 2020. For the 12th consecutive year, the healthcare sector suffered the most expensive data breach costs compared to any other industry examined in the report.

Sponsored and published by IBM Security, the Ponemon Institute studied 550 organizations impacted by data breaches between March 2021 and March 2022 to inform the report. In addition, researchers conducted more than 3,600 interviews with individuals from those organizations. They gleaned insights into how and where companies spend funds on the immediate and sustained impacts of data breaches.

Cost Breakdown

US organizations suffered the highest data breach costs overall, at $9.44 million on average across all industries. Critical infrastructure sectors, such as healthcare, also suffered higher ransomware attack costs on average, at $4.82 million ($1 million more than the average cost for other industries). 

Following healthcare, the costliest industry to have a data breach in was financial services, with an average cost of $5.97 million. The report noted that the healthcare sector is highly regulated, which could partially explain the drastic differences in data breach costs.

“The difference between low and high regulatory environments showed up in a pronounced way two years or more after the data breach — the ‘longtail’ costs,” the report stated.

READ MORE: Tenet Healthcare Cyberattack Leads to $100M in Lost Q2 Revenue

“In highly regulated industries, an average of 24 [percent] of data breach costs were accrued more than two years after the breach occurred.”

By comparison, low regulatory environments accrued just 8 percent of costs two years after experiencing a breach.

Detection and escalation accounted for the largest portion of data breach costs in 2022, increasing from an average of $1.24 million in 2021 to $1.44 million in 2022.  

“Detection and escalation costs include activities that enable a company to reasonably detect a breach. These costs include forensic and investigative activities; assessment and audit services; crisis management; and communications to executives and boards,” the report explained.

This year marked the first time that lost business costs did not account for the most considerable portion of total data breach costs. Lost business costs were the second-highest cost, at $1.42 million, and accounted for activities that attempt to minimize the loss of customers and manage business disruptions. Post-breach response and notification costs followed, incurring costs of $1.18 million and $0.31 million, respectively.   

Data Breach Causes

READ MORE: BCBS of Massachusetts Reports Third-Party Vendor Data Breach

The use of stolen or compromised credentials remained the top cause of a data breach in the 2022 report, accounting for 19 percent of all analyzed breaches.

“Breaches caused by stolen or compromised credentials had an average cost of USD 4.50 million. These breaches had the longest lifecycle—243 days to identify the breach, and another 84 days to contain the breach,” the report noted.

Following stolen or compromised credentials, phishing attacks emerged as the second most common cause of a breach, accounting for 16 percent of all analyzed breaches. Additionally, phishing was the most expensive breach type, averaging $4.91 million.

Business email compromise (BEC) averaged $4.89 million in costs, making it nearly as expensive as a phishing attack. Unsurprisingly, incidents that had the longest average times to identify and contain them were also the most expensive.

In addition to costly attack vectors gaining popularity, organizations widely reported being understaffed and underequipped to meet their security needs. More than 60 percent of respondents said that their organizations were not properly staffed, and those that said so incurred an average of $550,000 more in breach costs than those who did not.

READ MORE: AMA: Patients Demand Health Data Privacy, Accountability, Transparency

What’s more, researchers noticed that many organizations were not fully leveraging technology and best practices to secure their environments. More than 75 percent of analyzed critical infrastructure entities had not deployed a zero trust architecture, despite President Biden’s 2021 executive order emphasizing the need for zero trust practices across critical infrastructure.

Technology’s Role in Lowering, Raising Data Breach Costs

“AI platforms, a DevSecOps approach and use of an incident response (IR) team were the three factors associated with the highest cost decrease compared to the mean cost of a breach,” the report found.

The report observed increased adoption of AI and security automation technologies and, along with it, decreased costs. AI and automation can help organizations streamline processes, improve workflows, and even fill some gaps in the ongoing cybersecurity workforce shortage.

Organizations with fully deployed security AI and automation experienced average breach costs that were $3.05 million lower than organizations without fully deployed security AI and automation.

Organizations that implemented extended detection and response (XDR) technologies saw similar benefits and were able to identify and contain a breach 29 days faster than organizations without XDR technology.

“On the other hand, security system complexity, occurrence of cloud migration when the organization is in the process of migrating to the cloud and compliance failures were the three factors associated with the highest net increase in the average cost.”

Organizations with mature cloud security infrastructures largely experienced lower data breach costs, but those in the early stages were met with more challenges. Organizations with hybrid cloud models were able to contain breaches significantly faster than those with public or private models, the report observed.

With its findings in mind, IBM Security recommended that organizations implement a zero trust architecture, protect sensitive data in mature cloud environments, invest in automation and XDR, and create incident response playbooks to bolster cyber resilience.

“Businesses need to put their security defenses on the offense and beat attackers to the punch. It’s time to stop the adversary from achieving their objectives and start to minimize the impact of attacks. The more businesses try to perfect their perimeter instead of investing in detection and response, the more breaches can fuel cost of living increases.” Charles Henderson, global head of IBM Security X-Force, explained in an accompanying press release.

“This report shows that the right strategies coupled with the right technologies can help make all the difference when businesses are attacked.”