2019 Cost of A Data Breach Study Reveals Increase in U.S. Healthcare Data Breach Costs

The Ponemon Institute/IBM Security has published its 2019 Cost of a Data Breach Report – A comprehensive analysis of data breaches reported in 2018.

The report shows data breach costs have continue to rise and the costliest breaches are experienced by healthcare organizations, as has been the case for the past 9 years.

Average Data Breach Costs $3.92 Million

Over the past five years, the average cost of a data breach has increased by 12%. The global average cost of a data breach has increased to $3.92 million. The average breach size is 25,575 records and the cost per breached record is now $150; up from $148 last year.

Globally, the healthcare industry has the highest breach costs with an average mitigation cost of $6.45 million. Healthcare data breaches typically cost 65% more than data breaches experienced in other industry sectors.

Data breach costs are the highest in the United States, where the average cost of a data breach is $8.19 million – or $242 per record. The average cost of a healthcare data breach in the United States is $15 million.

Healthcare Data Breaches Cost $429 per Record

In healthcare, the average cost of a breach has increased to $429 per record from $408 last year – an increase of 5.15%. The financial sector has the second highest breach costs. Financial industry breaches cost an average of $210 per record – less than half the per record cost of a healthcare data breach.

Fortunately, mega data breaches are relatively rare but when they do occur the costs can soar. Mega data breaches are classed as breaches of more than 1 million records. IBM projected losses due to a data breach of $1 million records would be $42 million, whereas a breach of 50 million records would cost $388 million to resolve. The recent data breach at American Medical Collection Agency, which is known to have affected 18 healthcare providers and 25 million individuals, would fit halfway along that cost scale.

“Cybercrime represents big money for cybercriminals, and unfortunately that equates to significant losses for businesses,” said Wendi Whitmore, Global Lead for IBM X-Force Incident Response and Intelligence Services. “With organizations facing the loss or theft of over 11.7 billion records in the past 3 years alone, companies need to be aware of the full financial impact that a data breach can have on their bottom line –and focus on how they can reduce these costs.”

The survey was conducted by the Ponemon Institute on 507 companies that have experienced a data breach in the past year and involved 3,211 interviews with individuals with knowledge of the breach. Breach costs were determined using an activity-based costing (ABC) method, which identifies activities and assigns a cost to each based on actual use.

The Effects of A Data Breach Are Felt For Years

In this year’s study, IBM analyzed the financial impact of a data breach including the longtail financial costs. The analysis revealed the financial repercussions of a data breach are felt for years. The majority of the breach costs are realized in the first year after the breach when 67% of the cost is accrued. 22% of the cost is accrued in the second year, and 11% of the cost comes 2 or more years after the breach. In highly regulated industries such as healthcare, the longtail costs are higher.

For the majority of businesses, the biggest cost is loss of business after a data breach. Across all industry sectors, loss of business has been the biggest breach cost for the past 5 years, which now costs businesses an average of $1.42 million or 36% of their total breach cost. The average loss of customers following a data breach is 3.9%, although the figure is higher for healthcare organizations who often struggle to retain patients after a breach.

Breach costs are affected by several factors, including the nature of the breach and the organization’s size. The average cost of a data breach at an SMB with fewer than 500 employees is $2.5 million or 5% of annual revenue. With such crippling costs, it is easy to see why so many SMBs fail within 6 months of experiencing a data breach.

Malicious attacks were most common (51%) and were also the costliest breaches to resolve. Malicious attacks cost 25% more to resolve than breaches caused by system glitches or human error. Malicious attacks are now occurring much more frequently. There was a 21% increase in malicious attacks between 2014 and 2019.

The study identified several factors which reduce the cost of a data breach. The most important step to take to reduce breach costs is to form an incident response (IR) team. Companies that had formed an IR team, developed an IR plan, and extensively tested that plan, reduced their breach costs by an average of $1.23 million.

A rapid breach response greatly reduces breach costs. The average time from breach to discovery is 279 days. Companies that identified and remediated the breach inside 200 days saved an average of $1.2 million.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.