Healthcare Data Breach Costs Rise

Reading time: 6 min
Share this Share on email Share on twitter Share on linkedin Share on facebook

Getting to understand the costs of data breaches is always tricky. Deciding what variables need to be part of the equation is always tricky. And so is determining the actual costs of such nebulous concepts as "customer churn." But whether it's possible to peg the precise cost of a data breach, there is plenty to learn from trying and looking at trends. One lesson that is clear year after year is that it's regulated industries that pay more for data breaches. This year healthcare is the regulated market that spent the most due to a data breach.

In fact, per the Ponemon study, the healthcare industry has suffered the highest average data breach costs compared to any other industry for a decade. At $7.13 million, healthcare data breach costs increased, on average, 10.5% year over year. While the energy sector witnessed a 14.1% increase year over year, and its overall average cost reached $6.39 million, and yet still came lower than healthcare. Overall, 13 of 17 industries evaluated enjoyed the average total cost of their data breaches decline year over year.

Healthcare organizations also took longer to identify and contain breaches than other industries — perhaps why their costs were so high. While, on average, companies took 207 days to identify and a breach and 73 days to contain a breach, for a total period of 280 days. When it came to healthcare, the time from breach to containment averages 329 days. The financial vertical did considerably better, with that timeline taking 233 days. According to the report, "fully deployed security automation helped companies reduce the lifecycle of a breach by 74 days compared to companies with no security automation deployment, from 308 to 234 days."

This Ponemon study analyzed roughly 500 organizations, and in 80% of breaches, there was the exposure of customers' personally identifiable information. Out of all types of data exposed in these breaches, customer personally identifiable information was the costliest to businesses.

As we've been covering, the outbreak of healthcare data breaches has shown no sign of abating. More recently, the U.S.-based drug store retailer Walgreens alerted its customers of a breach that took place in May and June of this year in which personal drug prescription information may have been breached.

According to Walgreens, attackers accessed paper records with health information that possibly contained name, age, drug information, prescription details, along with health plan information and some medical history. To date, it appears 180 stores were impacted. "Protecting our customers' personal information is a top priority, and something we take very seriously. We've worked with local law enforcement, and are continuing to take steps to assist and notify customers who may have been impacted," a Walgreens spokesperson told Becker's. "While these were particularly challenging circumstances from a security standpoint and impacted a very small percentage of our stores, we're evaluating the numerous safeguards we regularly employ, and apologize for any inconvenience these incidents may have caused," the company said in this statement.

Also, in late July, the U.S. Department of Veterans Affairs Veterans Health Administration said it had to take additional steps to secure the personal health information of U.S. Veterans.

According to a statement put out by the VHA, a former contractor, Benefits Recovery Specialists, Inc., (BRSI), suffered a data incident that affected VHA files belonging to the Montana VA Health Care System (MTVAHCS).

According to the statement, BRSI discovered malware, April 30, that affected BRSI systems, and they then notified federal law enforcement. "Moreover, BRSI hired cybersecurity specialists and immediately began an internal investigation taking the affected systems offline to remove the malware and ensure the security of its information systems. A forensic investigation concluded on or about May 29, an unauthorized actor deployed Maze ransomware within BRSI's systems," the vendor said.

Additionally, VHA files containing personal information provided to BRSI as part of prior VA contracts may have been among those accessed and/or acquired between April 20-30 by this unauthorized actor. BRSI performed a comprehensive review of VHA files in its possession and determined the exact personal information impacted by this event to be full name, social security number, and facility. To date, there is no indication any information accessed or taken by the unauthorized actor has been misused. 1,501 Veterans were affected.