Breach, Incident Response, Data Security, Ransomware

Healthcare data breaches cost an average of $10.1M, more than any other industry

OakBend Medical Center in Texas is currently facing communication issues as it works to rebuild its hospital network after a ransomware attack. (Photo credit: “Emergency room” by KOMUnews is licensed under CC BY 2.0.)
Due to its regulatory nature and low-adoption of zero trust policies, healthcare data breaches cost more than any other sector. (Photo credit: "Emergency room" by KOMUnews is licensed under CC BY 2.0.)

With an average of $10.1 million, a data breach in the healthcare sector costs more than any other industry. In fact, the industry has faced the highest average cost of a breach for the last 12 years, according to the annual IBM Cost of a Data Breach Report.

For comparison, the average cost of a breach in the U.S. is $9.44 million.

The report is compiled from studying 550 organizations impacted by data breaches between March 2021 and March 2022, as well as 3,600 interviews with individuals from impacted organizations to understand cost and biggest impact related to data breaches.

For healthcare, the findings showed expenditures grew by nearly $1 million, or 9.4%, last year to yet another record high.

The high costs are likely due to the highly regulated nature of healthcare. But the report also showed that breaches cost more for entities without zero-trust policies. Like other critical infrastructure organizations, healthcare’s struggles with adopting zero trust may also explain the high expenditures.

Notably, breaches in the related pharmaceutical industry were the third-most expensive with an average price tag of $5.01 million, a slight decrease from the previous year.

Further, entities that face incidents in highly regulated industries like healthcare and pharma often see the initial cost estimates increase in the later years following the breach. According to the report, “The difference between low and high regulatory environments showed up in a pronounced way two years or more after the data breach: the ‘longtail’ costs.”

For those industries, an average of 24% of breach costs were accrued over two years after the incident occured. The likely contributors to these increases were regulatory and legal costs. In industries with a lower regulatory threshold, those cost accruals amounted to just an 8% increase.

Overall, the average cost of a compromise for critical infrastructure is just $4.85 million. Twenty-eight percent of the reported breaches were tied to destructive cyberattack or ransomware, and 17% were tied to a vendor breach.

The report data, when combined with expenditures faced by healthcare breach victims, impart the importance of a more proactive approach for the sector. Tenet Health’s cyberattack and monthlong outage cost $100 million in unfavorable impact. Although the price is staggering, it’s comparable to healthcare entities who’ve reported similar outages after a cyberattack.

After experiencing more than a month of outages after a cyberattack, Vermont Health Network reported the incident cost more than $63 million. A similar attack on Universal Health Services with the same outage-period cost $67 million. Disruptive cyberattacks cost an average of $1.5 million for each day of network downtime.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.