Healthcare data breaches cost more to resolve on average than breaches in any other industry, according to new research.
The average cost-per-record in a healthcare breach is $402, according to statistics from Ponemon Institute’s 2016 Cost of Data Breach Study: United States.
That's about 80% higher than the U.S. average, and about twice the average of the retail sector, according the report.
Ponemon’s 2016 report is based on 10 months of interviews with 64 companies in 16 industries across the U.S. It does not include breaches that affected more than 100,000 records, as this would skew the results.
Every edition of the report since 2013 has ranked healthcare as the most expensive industry in which to resolve a data breach (based on a cost-per-record average).
The first reason is that healthcare is heavily regulated by HIPAA and other laws. This can pile on additional costs after a breach.
Data breaches are expensive to begin with. Typical costs can be tied to:
Organizations in healthcare and other heavily regulated industries often incur additional costs. These can include:
So it’s not surprising to see the average cost of a healthcare data breach above the U.S. average – but that’s not the only reason it tops the list.
You may be surprised to learn that the most expensive part of a data breach comes well after the breach is detected and resolved.
The various costs of a data breach come in two types:
Topping the list of costs is “lost customer business,” as you can see in this chart from the Ponemon report.
Healthcare organizations can expect to lose even more business after a data breach than average.
Customer churn jumps 6.7% after a healthcare breach. That’s second only to the financial sector, and it’s three-times higher than the average jump seen in retail.
This helps explain why the average cost of healthcare data breaches is higher than in other industries. Not only is healthcare under heavy regulation, but it is also prone to higher levels of customer churn after a breach.
In a typical breach, 40% of the cost is due to losing customers. Since healthcare has an even higher rate of churn, this pushes its cost-per-record through the roof.
Many factors can influence the total cost of a data breach. Two big factors that the organization can manage are the time it takes to detect a breach and the time it takes to contain it.
The faster an organization can identify and solve the problem, the more money it will save.
Creating an incident response team with a response plan is one way to speed detection and remediation. According to the report, these two assets are among the most effective ways to cut the cost of a data breach.