Healthcare Information Security


Healthcare Data Breaches Have Highest Cost, Says Ponemon

By Elizabeth Snell

- Healthcare data breaches average the highest cost per stolen record, with organizations reaching as high as $363, according to Ponemon’s annual Cost of Data Breach Study: Global Analysis, sponsored by IBM.

Healthcare data breaches have highest cost compared to other industries

For the US specifically, healthcare’s per capita cost for a data breach was $398, which was well above the overall mean of $217. Ponemon reported that heavily regulated industries such as healthcare, pharmaceutical, and financial averaged higher costs per breach.

Sixty-two companies were interviewed for the US portion of the study, and the unit of analysis is the individual, according to the report. Data breaches ranged from a low of about 5,000 to slightly less than 100,000 compromised records.

The research found that the average cost for each lost or stolen record containing sensitive and confidential information increased from $201 to $217. The total average cost paid by organizations increased from $5.9 million to $6.5 million.

Per capita cost for data breaches according to Ponemon

For US companies, malicious or criminal attacks were the leading cause of data breaches, accounting for 49 percent of reported incidents. System glitches that include IT and business process failures were the root cause of 32 percent of data breaches, while human error accounted for 19 percent, according to Ponemon.

These results are consistent with prior years, wherein the most costly breaches involve malicious acts against the company. Companies that had a data breach due to malicious or criminal attacks had a per capita data breach cost of $230, significantly above the mean of $217. In contrast, system glitches or human error as the root cause had per capita costs significantly below the mean ($210 and $198, respectively).

The study also tracked abnormal churn rates, which are defined “as a greater than expected loss of customers in the normal course of business.” Industries that have more regulations also tended to have higher abnormal churn rates. For example,  financial, health, technology, pharmaceutical and service organizations experienced a relatively high abnormal churn, the report said. However, public sector, research and communications sectors typically  had lower than normal churn.

“The implication of this analysis is that industries with the highest churn rates could significantly reduce the costs of a data breach by putting an emphasis on customer retention and activities to preserve reputation and brand value,” the report stated.

Specifically, healthcare’s churn rate was 6 percent, while the financial industry led the way with a 7.1 percent churn rate.  

Main causes of data breaches according to Ponemon

The aftermath of a data breach can also be costly, according to the study. For example, post-data breach costs increased from $1.60 million in 2014 to $1.64 million in this year’s study. However, the average post response costs decreased from a 10-year high of $1.74 million 2011.

The costs of lost business from a data breach increased slightly. These costs include the abnormal turnover of customers, increased customer acquisition activities, reputation losses and diminished goodwill.

“The current year’s cost of $3.72 million represents an increase from $3.32 million,” the report stated. “The highest level of lost business cost was $4.59 million in 2009.”

These findings are similar to Ponemon’s Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data that was released earlier this month. That report found that there has been a 125 percent increase in criminal attacks in the healthcare industry since 2010.

Criminal attacks on healthcare organizations are now the leading cause of data breaches, as 45 percent of covered entities reported that as the root cause of an incident. Twelve percent said it was due to a malicious insider.

“We are seeing a shift in the causes of data breaches in the healthcare industry, with a significant increase in criminal attacks. While employee negligence and lost/stolen devices continue to be primary causes of data breaches, criminal attacks are now the number one cause,” Ponemon Institute Chairman and Founder Dr. Larry Ponemon said in a statement.


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks

Continue to site...