Healthcare data breaches cost more to resolve on average than breaches in any other industry, according to new research.
The average cost-per-record in a healthcare breach is $402, according to statistics from Ponemon Institute’s 2016 Cost of Data Breach Study: United States.
That’s about 80% higher than the U.S. average, and about twice the average of the retail sector, according the report.
Ponemon’s 2016 report is based on 10 months of interviews with 64 companies in 16 industries across the U.S. It does not include breaches that affected more than 100,000 records, as this would skew the results.
Every edition of the report since 2013 has ranked healthcare as the most expensive industry in which to resolve a data breach (based on a cost-per-record average).
Why do healthcare data breaches cost more?
The first reason is that healthcare is heavily regulated by HIPAA and other laws. This can pile on additional costs after a breach.
Data breaches are expensive to begin with. Typical costs can be tied to:
- Auditing and forensic analysis
- Notifying affected individuals
- Legal fees
Organizations in healthcare and other heavily regulated industries often incur additional costs. These can include:
- Fines and penalties
- Consulting on regulatory requirements
- Activities such as credit monitoring or reissuing accounts, which may be required by regulations
So it’s not surprising to see the average cost of a healthcare data breach above the U.S. average – but that’s not the only reason it tops the list.
Healthcare breaches push customers away
You may be surprised to learn that the most expensive part of a data breach comes well after the breach is detected and resolved.
The various costs of a data breach come in two types:
- Direct costs – Only about 34% of the total cost of a breach fall into this category. It includes detecting the breach, escalating response, auditing, and hiring legal defense.
- Indirect costs – The big costs – the remaining two-thirds of the total – are here. They include customer turnover, drops in customer acquisition, brand damage, and time lost.
Topping the list of costs is “lost customer business,” as you can see in this chart from the Ponemon report.
Healthcare organizations can expect to lose even more business after a data breach than average.
Customer churn jumps 6.7% after a healthcare breach. That’s second only to the financial sector, and it’s three-times higher than the average jump seen in retail.
This helps explain why the average cost of healthcare data breaches is higher than in other industries. Not only is healthcare under heavy regulation, but it is also prone to higher levels of customer churn after a breach.
In a typical breach, 40% of the cost is due to losing customers. Since healthcare has an even higher rate of churn, this pushes its cost-per-record through the roof.
Cutting the cost of a data breach
Many factors can influence the total cost of a data breach. Two big factors that the organization can manage are the time it takes to detect a breach and the time it takes to contain it.
The faster an organization can identify and solve the problem, the more money it will save.
Creating an incident response team with a response plan is one way to speed detection and remediation. According to the report, these two assets are among the most effective ways to cut the cost of a data breach.