Average Cost of Healthcare Data Breach $4.62 Million

Each year, IBM Security and Ponemon Institute publish their “Cost of a Data Breach Report” in which they assess the previous year’s data breaches. In the 2021 breach report, it was determined that 2020 healthcare data breaches cost organizations $2 million to $9.42 million per incident. Furthering that ransomware attacks cost an organization an average of $4.62 million per incident. With ransomware attacks accounting for more than half of healthcare breaches in 2020, the average cost of a healthcare data breach has reached $4.62 million per incident.

Overall, the cost of a data breach increased by 10% as compared to the previous year, largely due to the widespread adoption of cloud technology to support new remote workforces. The quick manner in which businesses implemented new technology led many to fail to implement policies, procedures, and training for remote workers. Remote workers also contributed to a delay in response to security incidents, adding an average of $1 million to the cost of data breaches associated with remote work.

Click here for your free telecommuting policy!

What Caused the Breaches and What Information Was Exposed?

How to Mitigate the Costs of a Healthcare Data Breach

There are several ways in which the cost of a healthcare data breach can be limited. What it ultimately comes down to is having incident prevention systems in place, and being able to quickly detect and respond to incidents. 

• Encryption, AI, and Analytics. Companies that had encryption, artificial intelligence-based security solutions, and security analytics in place saved anywhere from $1.25 million to $1.49 million per incident. To be HIPAA compliant, healthcare organizations must encrypt their electronic protected health information (ePHI) to prevent unauthorized access to the sensitive data. HIPAA also requires access to ePHI to be tracked and monitored, allowing organizations to quickly respond to incidents.

• Security Automation Strategy. When organizations failed to have a security automation strategy in place, they spent an average of $6.71 million per incident, compared to $2.90 million per incident for organizations with fully deployed security automations. 

• Incident Response Plan. Organizations that had a tested incident response plan in place lowered their cost per incident by 54.9%. Part of HIPAA compliance is implementing an incident response plan to facilitate the quick detection and response to incidents. However, it’s not enough to have an incident response plan, the plan must be tested to ensure its effectiveness and that employees are aware of their roles during an incident.

• Zero-trust Security Strategy. Organizations that had adopted a zero-trust security strategy spent an average of $1.76 million less per incident than organizations that had not. The Zero Trust security model, “assumes that a breach is inevitable or has likely already occurred, so it constantly limits access to only what is needed and looks for anomalous or malicious activity.” Cybersecurity is also an important part of HIPAA especially with the newly passed bill that requires the HHS to incentivize healthcare organizations that adopt a well-known cybersecurity model, such as zero-trust.

Chris McCurdy, Vice President and General Manager, IBM Security stated, “Higher data breach costs are yet another added expense for businesses in the wake of rapid technology shifts during the pandemic. While data breach costs reached a record high over the past year, the report also showed positive signs about the impact of modern security tactics, such as AI, automation and the adoption of a zero-trust approach – which may pay off in reducing the cost of these incidents further down the line.”