Average cost of healthcare data breach rises to nearly $11M

Healthcare data breaches continue to become more costly.

The average healthcare data breach has reached $10.93 million, according to a new report released today by IBM Security. That’s an 8% jump from a year ago, when the average cost topped $10 million for the first time.

IBM Security compiles annual reports on the cost of breaches, and the healthcare industry suffers more expensive data breaches than any other sector. In fact, it’s the 13th consecutive year that healthcare surpassed all other industries in the average cost of a breach. By comparison, the average cost of a data breach across all industries is $4.45 million.

• Read more: Paying the ransom: A special report

Since the COVID-19 pandemic began, the average cost of a healthcare data breach has risen 53%, the report found.

“We're seeing a very big increase for healthcare organizations, probably because they're really in the crosshairs of attackers,” Limor Kessem, a senior cybersecurity consultant for IBM Security, tells Chief Healthcare Executive®. “And there is no relenting so far.”

The report comes amidst a rise of data breaches and ransomware attacks affecting hospitals and health systems. This month, HCA Healthcare disclosed a cyberattack that could have affected as many as 11 million patients.

• Read more: Here are the 10 biggest health data breaches in the first half of 2023

Attackers have discovered that health systems are vulnerable, and more accessible than organizations in other sectors.

“Attackers who are highly skilled typically … have an easier time,” Kessem says. “And so they do go for these major organizations that have a lot of patients. And then the larger breaches are extremely costly.”

(Limor Kessem of IBM Security talks about data breaches in this video. The story continues below.)

Scarcity of talent

Healthcare organizations have trailed other industries in their cybersecurity defenses, Kessem says. Hospitals and health systems have had trouble attracting top cybersecurity talent, because other industries pay better.

“Security folks are going to work for places where they could get the bigger paycheck, and it's not always going to be a healthcare organization,” Kessem says. “It's a tough industry to get very skilled staff.”

After the healthcare industry, the financial sector was second in terms of cost, with the price tag of the average breach reaching $5.9 million, about $5 million less than a breach in healthcare.

The pharmaceutical industry ranked third, with the average cost of a breach at $4.8 million, which actually represents a bit of a drop from last year ($5 million in 2022).

Healthcare organizations maintain enormous amounts of data on patients, including health records and financial information, making them appealing targets for ransomware gangs. They also work with hundreds of vendors, making them vulnerable to breaches outside their organization.

“It's a big attack surface, and it's very diversified,” Kessem says. “It's really hard to protect it.”

Silence is costly

In Kessem’s view, cyberattackers and ransomware gangs are becoming more adept at infiltrating organizations.

“They do it all day, every day, all day,” Kessem says. “That's all they do. They know everybody's network. Sometimes they sit in networks for a while and they watch everything. They go undetected for quite a while. They really find everything around, and that's their bread and butter.”

While the report focuses on the high costs of cyberattacks to healthcare and other sectors, Kessem says it also underscores the value of working with law enforcement when a breach occurs. Those who are keeping quiet and declining to call authorities are losing time and money, the report suggests.

Organizations that contacted authorities in a ransomware attack saved $470,000 in the average cost of a breach, compared to those who didn’t go to law enforcement. In addition, the report also says those working with law enforcement contained a breach more quickly. Working with authorities, the containment period was shorter (273 days vs. 306 days).

“As a consultant, I get the question every single time: Should we bring in law enforcement? Or would it just make things worse or, you know, complicate things? And do we need more people here, it's already a mess, and so on,” Kessem says. “And it turns out that those who do bring in law enforcement will save about 33 days in the containment of the breach, and also save almost half a million dollars. So that's really good news.”

At the same time, more than one third of ransomware victims studied (37%) do not contact authorities.

Protecting data

Many organizations don’t detect breaches on their own, the report states. Across all sectors, only one out of three breaches are found by an organization’s security team. In other cases, the breaches were found by a third party, or the attackers informed organizations they’ve been infiltrated.

Kessem suggests that healthcare organizations need to develop a more comprehensive view of protecting all of their patient data, including images of their patients.

“I think that healthcare organizations have to really think about: what data do we have, and how can we better protect it? Go to that encryption, find new encryption techniques, and schemes and adapt to the type of data you have,” she says.

Organizations that are doing better on cybersecurity have high engagement from their top leaders.

“They have an executive team that is actually interested in driving cybersecurity initiatives,” Kessem says. “And when they engage and take on a cybersecurity project, you see participation and hard work from those senior management teams. So it's not left just to the technical teams … It's really a joint effort, and everybody is part of it.”