Healthcare Information Security

Patient Privacy News

Healthcare Data Breach Costs Highest for 7th Straight Year

IBM and Ponemon found that healthcare data breach costs average $380 per record, more than 2.5 times the global average across industries.

Healthcare data breach costs continue to be highest among surveyed sectors.

Source: Thinkstock

By Elizabeth Snell

- Healthcare data breach costs are the highest among surveyed sectors for the seventh straight year, according to the 2017 Cost of a Data Breach Study: Global Overview.

The average cost of a data breach is $3.62 million globally, which is a 10 percent decline from the 2016 survey. However, healthcare data breaches cost organizations $380 per record. That is more than 2.5 times the global average across industries at $141 per record.

The survey was sponsored by IBM Security and conducted by Ponemon Institute. The US portion of the report reviewed incurred costs for 63 companies in 16 industry sectors. The examination took place after those organizations “experienced the loss or theft of protected personal data and the notification of breach victims as required by various laws.”

In the US, data breaches cost companies an average of $225 per compromised record. Furthermore, the total average organizational cost of data breach hit a new high at $7.35 million.

Heavily regulated industries, including healthcare, experienced higher data breach costs. Following healthcare at $380 per capita, the industries with the highest costs were financial services ($336 per capita), services ($274), life science ($264), and industrial ($259). The mean per capita data breach costs were $225.

Ponemon chart depicting data breach costs by industry

Source: Ponemon

"Data breaches and the implications associated continue to be an unfortunate reality for today's businesses," Ponemon Institute Chairman and Founder Dr. Larry Ponemon said in a statement. "Year-over-year we see the tremendous cost burden that organizations face following a data breach.”

“Details from the report illustrate factors that impact the cost of a data breach, and as part of an organization's overall security strategy, they should consider these factors as they determine overall security strategy and ongoing investments in technology and services."

Malicious or criminal attacks were the primary causes of data breaches in the US, according to the survey. These types of attacks accounted for 52 percent of incidents, with human error and system glitches each accounting for 24 percent. 

Ponemon graph of root cause of data breaches

Source: Ponemon

Malicious attacks were also the costliest type of data breach, the survey showed.

“Companies with a data breach due to malicious or criminal attacks had an average per capita data breach cost of $244,” report authors wrote. “In contrast, system glitches or human error as the root cause had per capita costs significantly below the mean ($209 and $200, respectively).”

The Ponemon and IBM survey also reviewed factors that influence a data breach. Third party error, compliance failure, extensive migration to the cloud, rush to notify, and lost or stolen devices increased data breach costs by more than $10 per compromised record.

Comparatively, having an incident response plan and team in place, extensive use of encryption, employee training, BCM involvement, and extensive use of data loss prevention technologies were found to reduce data breach costs by more than $9 per compromised record.

The more records that are lost, the higher the cost of a data breach, the survey found. For example, companies with data breaches involving less than 10,000 records spent an average of $4.5 million to resolve the data breach. Entities that had more than 50,000 records lost or stolen spent $10.3 million.

However, detection time could have an impact on the overall data breach cost, according to the report. The mean time to identify (MTTI) and mean time to contain (MTTC) were reviewed. Overall, it took more than six months on average to detect an incident, with an average of 55 days or almost two months to contain it.

“If the MTTI was less than 100 days, the average cost to identify the data breach was $5.99 million,” report authors explained. “However, if the MTTI is greater than 100 days, the average cost increased to $8.70 million.”

Having a business continuity program or disaster recovery plan in place can also be beneficial, the survey revealed. Companies using a manually operated Disaster Recovery process experienced an estimated average cost of $6,101 per day. In comparison, organizations utilizing an automated Disaster Recovery process had an average cost per day of $4,041.

The 2016 Cost of a Data Breach report also showed that healthcare had the highest data breach costs, averaging $355 per stolen record. Last year’s survey also revealed that the majority of data breaches are caused by malicious or criminal attacks.

However, education was the second highest individual stolen record cost last year, averaging $246 per record. Financial services was third, with an average of $221 per record. 


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks

Continue to site...