HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Healthcare Data Breach Costs Fall to $380 Per Record

Healthcare data breach costs have fallen year-over-year according to the latest IBM Security/Ponemon Institute study.  While there was a slight decline, for the seventh straight year, healthcare data breach costs are still higher than any other industry sector.

This year, the Ponemon Institute calculated the average healthcare data breach costs to be $380 per record. The average global cost per record for all industries is now $141, with healthcare data breach costs more than 2.5 times the global average. Last year, average healthcare data breach costs were $402 per record. The average cost of a breach in the United States across all industries is $225 per record, up from $221 in 2016.

Data breach costs have risen substantially over the past seven years, although the latest report shows there was a 10% reduction in data breach costs across all industry sectors. This was the first year that data breach costs have shown a decline. The average global cost of a data breach now stands at $3.62 million, having reduced from $4 million last year.

The study was conducted globally, with 63 organizations in the United States surveyed. Those organizations were spread across 16 industry sectors. The Ponemon Institute surveyed each company after they experienced the loss or theft of sensitive information and had issued breach notifications to affected individuals. Sensitive data was classed as “An individual’s name plus Social Security number, medical record and/or a financial record or debit card.”

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

In the United States, the surveyed companies experienced data breaches that resulted in the exposure or theft of between 5,563 and 99,500 records, with an average of 28,512 records per breach.

The Ponemon compared the total cost of a breach with the average cost over the past four years. In the United States, the total cost of a data breach rose from $7.01 million to $7.35 million. This was the highest total breach cost since IBM Security/Ponemon first started conducting the study.

Across all industry sectors, the cost of a data breach was higher for malicious or criminal attacks ($244 per record) followed by system glitches ($209 per record) and human error ($200 per record). The breakdown of the causes of the breaches were malicious or criminal attacks ($52%), system glitches (24%) and human error (24%).

How do Healthcare Data Breach Costs Compare to Other Industries?


United States Data Breach Costs

Industry Average Cost per Record (USD)
Healthcare 380
Financial Services 336
Services 274
Life Sciences 264
Industrial 259
Technology 251
Education 245
Transportation 240
Communications 239
Energy 228
Consumer 196
Retail 177
Hospitality 144
Entertainment 131
Research 123
Public Sector 110
Average Cost 225


The study showed the United States has higher breach costs than Europe, where the average cost of a data breach declined by 26% year-over-year. The Ponemon Institute attributed this, in part, to the centralized regulatory environment in Europe. In the United States, organizations have to comply with federal regulations as well as separate regulations in 48 of the 50 states. This makes the breach response labor intensive and extremely costly.

The report suggests the reason for the rise in breach costs in the United States was the result of compliance failures and a rush to notify individuals, with the latter costing organizations 50% more than in Europe. The study revealed the cost of issuing breach notifications was $690,000 on average in the United States – twice the figure of any other country.

The study showed that when third parties were involved in a breach there was an increase in data breach costs, typically adding an extra $17 per record.

As in previous years, a rapid response to a data breach saw organizations limit the cost. When an incident response plan was in place prior to a breach, organizations were able to save an average of $19 per record. There was an average reduction in breach costs of $1 million when organizations were able to contain the breach within 30 days. However, on average, companies took more than six months to discover a breach and more than 66 days to contain it.

Other factors that led to a reduction in breach costs were the use of encryption, which saw a $16 reduction in costs per record and employee education which saw breach costs reduced by $12.50 per record.

Dr. Larry Ponemon, Chairman and Founder of the Ponemon Institute said, “Data breaches and the implications associated continue to be an unfortunate reality for today’s businesses,” explaining, “Year-over-year we see the tremendous cost burden that organizations face following a data breach.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.