July 14, 2020

Volume X, Number 196

July 13, 2020

Subscribe to Latest Legal News and Analysis

New Report Finds Health Care Industry Bears Highest Data Breach Costs

Health care data breaches cost health care entities an average $408 per record– the highest of any industry for the eighth straight year, according to IBM and the Ponemon Institute’s 2018 Cost of a Data Breach Report, and three times higher than the cross-industry average of $148 per record. The cost for a health care data breach increased from last year’s reported average of $380 per record. Contributing factors to the high costs include compliance with laws and regulations and abnormally high churn rates due to consumer mistrust.

The report was comprised of data collected from interviews with over 2,000 IT, data protection, and compliance professionals across 477 companies around the world that experienced data breaches in the last year. Some of the most significant findings from the report include the following:

  • Notification costs for organizations are the highest in the United States at $740,000, due in part to costs associated with determining regulatory requirements. In contrast, India had the lowest notification costs at $20,000.
  • Hackers or criminal insiders cause 48 percent of all data breaches analyzed in the report. The cost per record to resolve such attacks was $157, compared to $131 per record for data breaches caused by system glitches, human error, or negligence.
  • Third party involvement in a data breach and extensive cloud migration at the time of the breach increases the cost by more than $13 per compromised record.
  • For the fourth year in a row, the report showed that the faster a data breach can be identified and contained, the lower the costs for the breach. The average time to identify a data breach for the sample of 477 companies was 197 days, and the average time to contain a data breach was 69 days. Companies that identified a breach in less than 100 days saved more than $1 million as compared to those that averaged longer than 100 days. Likewise, companies that contained a breach in less than 30 days saved over $1 million as compared to those companies that took longer than 30 days.
  • Incident response teams reduce the cost of a data breach by as much as $14 per compromised record and extensive use of encryption reduces the cost by $13 per capita.
  • Organizations that lose 1 percent of customers due to a data breach result in an average total loss of $2.8 million. Organizations that lose 4 percent or more customers average a total cost of $6 million.

While the costs of data breaches continue to rise for health care as well as other industries, the study showed signs of cost savings through the use of newer technologies, such as automation tools, artificial intelligence, and machine learning to support or replace human intervention in data breach identification and response.

© 2020 Faegre Drinker Biddle & Reath LLP. All Rights Reserved.National Law Review, Volume VIII, Number 206


About this Author

Sumaya Noush, Drinker Biddle Law Firm, HealthCare Attorney

Sumaya Noush counsels health care clients on strategic and operational matters including transactions, corporate governance, and regulatory compliance. She helps her clients navigate the daily challenges of running their operations while identifying opportunities for growth in today’s rapidly evolving and highly competitive health care market.

Sumaya previously served as a law clerk for Drinker Biddle, an instructor at Yale’s Bioethics Institute where she taught a seminar on FDA law and medical ethics, and a Visiting Scholar at...