Discovering the True Financial Impact of Data Breaches in Healthcare
While the monetary costs to recover from a healthcare data breach are frequently astronomical and potentially backbreaking to medical institutions, the overall cost goes far beyond their immediate financial toll. Data breaches in the healthcare sector can have significant financial, legal, operational, and reputational consequences. The broader impact of a breach can encompass a broad spectrum, contingent on variables like breach size, compromised data types, organizational response, and the ensuing fallout. The true cost of such breaches will never be known.
Yet data samples point to a simple, sobering reality: Cybersecurity breaches are on the rise both in terms of prevalence and associated cost. The healthcare sector is no exception. IBM estimates in its 2023 report that since 2020, healthcare data breach costs have risen 53.3 percent.
Here, we delve into the pivotal cost components entailed in healthcare data breaches:
Lifecycle Cost of Breach
A breach can be potentially game ending for any organization, but the effects of cybercriminal attacks in the healthcare sector far outweigh those of other industries in terms of average cost. According to IBM’s 2022 report, the average lifecycle cost of a healthcare data breach was $10.1 million – to be outdone only by the 2023 calculation of $10.9 million, which is by far the costliest across all industries for over a decade now. Available statistics on the matter require a caveat, however, as not all associated costs are factored in (actual ransom payments, downtime, loss of business, etc.). Sources claim that ripple effects from a breach can still be felt months and even years down the line, making exact figures difficult to ascertain.
Ransom Payments
Cyber-extortion plays a significant role in costly breaches, and its use has become more frequent. In 2021 alone, the healthcare sector experienced a 45 percent year-over-year increase in data breaches provoked by ransom attacks. On a global scale, IBM calculated that the 2022 average cost of a ransomware attack was $4.54 million (minus any ransom payment); the 2023 report tells of a 13 percent year-over-year increase to $ 5.13 million. Unequivocal data on ransom amount and the propensity to pay remain somewhat elusive for several reasons. Sophos’ 2023 report does, however, offer some indications, albeit perhaps statistically insignificant. Here, 42 percent of respondents affected by cyber-extortion admitted to having paid ransom to recover data, a decrease from 2022 (61 percent). Of the affected entities, 12 shared the exact payment amount, with the median breaking the $2.5 million mark, a significant increase from the previous year.
Federal Settlements and Civil Penalties
Healthcare entities that inadequately safeguard patient data expose themselves to formidable fines and penalties. Regulatory bodies such as the US Department of Health and Human Services (HHS) wield the authority to levy fines for violations of legislation like the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Office of Civil Rights’ settlements and civil penalties paid for violations of HIPAA laws can vary greatly and incur anywhere between $120 per chart for minor infractions all the way up to over $1 million per chart for cases of willful neglect. The average fine per penalized breach in 2022 was just under $100,000.
Legal and Consulting Fees
Healthcare entities may enlist legal advisors, cybersecurity specialists, and consultants to oversee breach response, navigate legal complexities, and enact security enhancements. The fees associated with such high-level professionals are not negligible. Additionally, one must take into consideration the litigation expenditures brought on by legal proceedings initiated by data breach victims pursuing compensation for the exposure of their protected health information and seek to reimburse identity theft and fraud costs linked back to the breach.
Reputational Damage
Healthcare data breaches exact a substantial toll on facilities and their business partners that is largely unquantifiable, but no less felt. This is damaging to reputation. Breach aftermath casts a shadow of mistrust over organizations, eroding patient confidence and tarnishing brand image. The disclosure of sensitive patient information shakes the bedrock of credibility, potentially leading to patient exodus and compromised new patient acquisition. With heightened public awareness of data privacy, breaches propagate a perception of organizational negligence, impacting long-term patient and shareholder loyalty – perhaps irrevocably. The damage transcends the breach event, permeating the industry discourse and influencing stakeholders' perceptions. The road to recovery requires meticulous communication, redoubled security measures, and demonstrable commitment to safeguarding patient data – a journey essential for regaining lost trust and reputation.
Profitability Strain
In the aftermath of a breach, operational disruptions and reputational damage can translate to profit leaks. Interference in operations can lead to downtimes, curtailed productivity, and disturbances in regular undertakings, which in turn lead to forfeited wages and salaries and other cost absorption. A data breach can wield a severe blow to a healthcare entity's reputation, eroding both shareholder and patient trust and potentially resulting in a pervasive loss of credibility and, ultimately, liquidity. Business prospects may also suffer because of a breach, further pinching a facility’s margins.
Insurance Premiums
Healthcare organizations equipped with cybersecurity insurance may face escalated premiums post-breach. While cybersecurity insurance provides vital financial protection, its utilization could engender augmented costs due to perceived heightened risk. This underscores the symbiotic role of stringent cybersecurity measures and insurance coverage in minimizing post-breach financial implications while reinforcing the importance of resilient data protection strategies for healthcare entities.
Compliance and Remediation Expenditures
Following a breach, healthcare institutions often allocate resources to remediate breaches and address compliance intricacies. Remediation endeavors entail their own set of costs for initiatives such as restoring systems, conducting forensic inquiries, fortifying security frameworks, and retrieving lost data involves substantial expenses in the process of remediation.
Notification and Communication Expenses
Mandated notifications to affected individuals and other stakeholders constitute an essential, albeit perhaps relatively minor cost. Establishing call centers, disseminating breach notifications, and furnishing credit monitoring services for impacted patients collectively add to the financial outlay. In cases involving business associates, healthcare institutions might bear the onus of covering the notification and response expenses of these associates.
In summation, the fiscal and reputational implications of a healthcare data breach are far-reaching, encompassing direct financial outlays, legal penalties, operational upheaval, and enduring reputational damage. This underscores the pivotal importance of robust cybersecurity strategies and breach response blueprints for healthcare entities, arming them to mitigate the repercussions of potential breaches.
Ultimately, it is the consumers who suffer the most from data leaks and ransom attacks. Beyond the organization itself, a breach casts a wide net of vulnerability – users, customers, vendors, and others connected to the breached data become susceptible to various forms of harm. Many breached entities recover economically after a major security event. It is patients, both past and future, who bear the greater cost, as their exposed data renders them exploitable, and their hospital charges are bloated due to recovery cost inflation. They literally pick up the bill for cybersecurity breaches.
Nick Youmans, PhD, is the director of finance and infrastructure at YES HIM Consulting, a health information management coding and auditing consulting firm.