The rising cost of a healthcare data breach

Healthcare data breaches have reached a crisis point. In 2024, the cost of healthcare data breach incidents soared to an all-time high, averaging $9.8 million per breach, according to IBM’s Cost of a Data Breach report. For the first time, the healthcare industry has surpassed finance as the most targeted industry.

The reality is stark: healthcare organizations, responsible for safeguarding some of society’s most vulnerable populations, face escalating attacks, with each event carrying massive direct and indirect costs.

Why Healthcare Is a Prime Target

Healthcare organizations are uniquely vulnerable because they manage enormous amounts of valuable personal information, often with older technology. Several factors make them especially attractive to cybercriminals, including:

• High value of patient data on the dark web (hundreds of dollars per record)
• Complex, fragmented IT infrastructures with outdated systems
• Multiple administrators and databases, leading to gaps in oversight
• Poor cybersecurity practices among staff
• Underfunded cybersecurity programs, allowing vulnerabilities to persist

Scammers seek patient records, such as social security numbers, insurance details, medical histories, and contact information, for identity theft, financial fraud, and targeted scams. Disruptions caused by ransomware attacks can halt billing systems, delay treatment, and ultimately threaten patient safety.

One of the most severe incidents to date happened in early 2024 when UnitedHealth Group’s Change Healthcare division suffered a ransomware attack that stole over six terabytes of data. The attack halted pharmacy operations, delayed medical billing, and cost UnitedHealth Group $872 million in the first quarter alone, excluding direct breach response costs.

The True Cost of a Healthcare Breach

When an incident strikes, the visible and hidden costs escalate quickly, many lasting for years after the initial event.

Direct Costs

Organizations are immediately hit with significant expenses tied to investigation, mitigation, and compliance efforts. Common direct costs include:

• Incident investigation and forensic IT services to locate and neutralize threats.
• Regulatory fines and penalties tied to HIPAA violations, which can range from a few thousand dollars to over a million dollars.
• Legal fees and potential lawsuits from patients, vendors, or regulatory agencies.
• Ransom payments to attackers who threaten data exposure or prolonged system outages.

Indirect Costs

The damage doesn’t stop once the immediate threat is contained. Other expenses are incurred for:

• Operational downtime and manual workarounds that disrupt billing, care delivery, and administrative functions.
• Patient loss and reputational damage that weaken loyalty and referral networks.
• Higher cyber insurance premiums after claims are filed.
• Expanded compliance obligations with more frequent audits and reporting requirements.

It’s important to note that expenses related to HIPAA fines, legal settlements, public relations efforts, and regulatory monitoring, often stretch across three to four years following an incident.

In addition to the fines and penalties, organizations must enter into corrective action plan agreements with the Department of Health and Human Services (HHS). To address compliance gaps, organizations must implement targeted remediation measures, such as conducting an annual risk analysis, developing a risk management plan, revising internal policies and procedures, and establishing training programs.

In addition to these corrective actions, IBM reports that 75% of the increase in breach-related costs now stems not from technical fixes, but from lost business, delayed operations, ongoing compliance burdens, and increased customer support.

Proactive Steps Organizations Can Take to Reduce Risk

Investing in cybersecurity upfront is far more cost-effective than responding after a breach occurs. Organizations can significantly lower their exposure with the following steps:

1. Conduct regular security assessments to identify vulnerabilities.
2. Perform the required annual HIPAA risk analysis to identify and evaluate potential risks to the confidentiality, integrity, and availability of electronic protected health information (ePHI) that an organization holds.
3. Conduct penetration testing and vulnerability scanning to identify and fix weaknesses.
4. Encrypt sensitive data, both in transit and at rest.
5. Implement multifactor authentication (MFA) and apply least privilege access controls.
6. Train employees regularly in cybersecurity best practices.
7. Maintain secure backups and a strong data recovery plan.
8. Use a SIEM (Security Information and Event Management) system to monitor threats.

If an incident occurs, it’s beneficial to have the following:

• A well-defined incident response plan already in place.
• Strong data security posture management to minimize damage.
• Ongoing collaboration with cybersecurity professionals to adapt to new threats.
• Regular data backups so data can be restored quickly and accurately.
• Cyber insurance to help mitigate financial losses and cover recovery costs.

We Can Help

At Elliott Davis, we specialize in helping healthcare organizations build strong defenses before an incident occurs. Our services include:

• Annual HIPAA risk analysis
• HITRUST compliance assessments
• Internal and external vulnerability scans and penetration testing
• Comprehensive cybersecurity assessments

Our experienced team can help you identify vulnerabilities, streamline compliance, and reduce risk exposure, so your organization is better protected against today’s growing threats.

Safeguard your operations before the next attack strikes. Contact us today to schedule a HIPAA compliance review or cybersecurity assessment.

The information provided in this communication is of a general nature and should not be considered professional advice. You should not act upon the information provided without obtaining specific professional advice. The information above is subject to change.