- In their 2018 Cost of a Data Breach Report, IBM and the Ponemon Institute found that healthcare data breach costs average $408 per record, the highest of any industry for the eighth straight year and nearly three times higher than the cross-industry average of $148 per record.
This compares with an average cost of $380 per record for a healthcare data breach from last year’s report.
The study found that the average cost of a data breach across industries and countries is $3.86 million, a 6.4 percent increase from 2017 and a nearly 10 percent net increase over the past five years.
The IBM-Ponemon study compared the cost of data breaches in different industries and regions, finding that data breaches are the costliest in the United States and the Middle East, and least costly in Brazil and India.
One factor impacting the cost of a data breach in the United States was the reported cost of lost business, which was $4.2 million, more than double the amount of “lost business costs” compared to any other region surveyed.
Overall, the study found that hidden costs in data breaches are difficult and expensive to manage.
“While highly publicized data breaches often report losses in the millions, these numbers are highly variable and often focused on a few specific costs which are easily quantified,” said Global Lead for IBM X-Force Incident Response and Intelligence Services Wendi Whitmore.
"The truth is there are many hidden expenses which must be taken into account, such as reputational damage, customer turnover, and operational costs. Knowing where the costs lie, and how to reduce them, can help companies invest their resources more strategically and lower the huge financial risks at stake," Whitmore.
Based on interviews with nearly 500 companies that experienced a data breach, the study analyzed hundreds of cost factors surrounding a breach, from technical investigations and recovery, to notifications, legal and regulatory activities, and cost of lost business and reputation.
For mega breaches, the biggest expense category was costs associated with lost business, which the report estimated at nearly $118 million for breaches of 50 million records, almost a third of the total cost of a breach this size.
The report analyzed the publicly reported costs of several high profile mega-breaches and found the reported numbers are often less than the average cost found in the study. This is likely due to publicly reported cost often being limited to direct costs, such as technology and services to recover from the breach, legal and regulatory fees, and reparations to customers.
The study also examined factors that increase or decrease the cost of a breach, finding that costs are heavily impacted by the amount of time spent containing a data breach, as well as investments in technologies that speed response time.
The average time to identify a data breach in the study was 197 days, and the average time to contain a data breach once identified was 69 days.
Companies who contained a breach in less than 30 days saved over $1 million compared to those that took more than 30 days.
For the first time, the report examined the effect of security automation tools that use artificial intelligence, machine learning, analytics, and orchestration to augment or replace human intervention in the identification and containment of a breach.
The analysis found that organizations that had extensively deployed automated security technologies saved over $1.5 million on the total cost of a breach.
“The goal of our research is to demonstrate the value of good data protection practices, and the factors that make a tangible difference in what a company pays to resolve a data breach,” said Ponemon Institute Chairman and Founder Larry Ponemon.
“While data breach costs have been rising steadily over the history of the study, we see positive signs of cost savings through the use of newer technologies as well as proper planning for incident response, which can significantly reduce these costs,” Ponemon concluded.