The healthcare industry is often the target of bad actors partly because of the sensitive nature of the data organizations keep. Successful cyberattacks and data breaches are often costly for the same reason. Measuring the true cost of data breaches must take into account potential fines, lawsuits, and reputational damage. The value of threat mitigation can be difficult to visualize, but knowing the potential cost of the risk provides a baseline perspective on why it’s important to invest in proactive IT and cybersecurity measures.
What is a Data Breach?
A data breach occurs when unauthorized individuals gain access to confidential information. For healthcare organizations this often involves sensitive patient data including medical records, personal identification information, and financial details. Healthcare data breaches are more common than one might think, even with organizations understanding the risk and taking steps to secure data.
The healthcare industry is among the most often attacked when it comes to breaches. For example, there were 725 reported breaches, exposing over 133 million records in 2023. This trend has continued in recent years, with healthcare consistently topping the list for the most frequent cyberattacks and most costly data breaches.
Healthcare data is incredibly valuable to cyber criminals, leaving organizations with quite a conundrum: how to secure and restrict massive amounts of data while making it accessible to healthcare workers who need access to do their jobs.
Immediate Repercussions of a Data Breach
The impact of a data breach on an organization is multilayered. There is an immediate impact, and there are long-term consequences of cybersecurity failure. Some of the immediate consequences include:
- Downtime and Containment: Breaches often lead to operational downtime. In general, an IT team will take a system down to stop further data loss. This containment strategy allows them to figure out why the failure occurred and to take steps to secure the system. Unfortunately for the organization, the system is often inaccessible during this time. Containment can be complicated by “dwell time,” the amount of time a hacker has access to a system and remains undetected. On average, it can take 231 days before a data breach is discovered.
- Notifications: Once a breach occurs, healthcare organizations are legally required to make a series of notifications. To start, they must notify affected individuals — which can present its own challenge. In order to notify all affected individuals, the organization must have a solid understanding of the extent of the breach and know what data was compromised. They also must alert regulatory bodies, such as the U.S. Department of Health and Human Services. The entire process can be costly and time-consuming.
- Regulatory Impact: Healthcare organizations must comply with regulations like the Health Insurance Portability and Accountability Act (HIPAA). Data breaches sometimes cause regulatory bodies to take a closer look at the organization and its practices. In severe breaches, a full investigation might be launched. If it is found that an organization failed to meet regulatory requirements before, during, or after a breach, they might face fines and legal consequences.
Long-term Repercussions
Even when a data breach is quickly contained and the short-term ramifications are dealt with, long-lasting impacts can continue to damage an organization. Below, we examine some of the long-term issues an organization that suffers a data breach might face:
- Financial Losses: The financial impact can be devastating. In 2023, the average cost of a healthcare data breach rose to $11 million — significantly higher than the global average of $4.45 million across all industries. Incurred costs for healthcare organizations come from legal fees, fines, and the expenses of updating cybersecurity measures and data systems.
- Lawsuits: Breaches often lead to legal action. This can take the form of individual lawsuits or, in a worst-case scenario, a class action lawsuit. If your organization is found to have been negligent in some way, or if you did not take proper precautions to prevent a data breach, the liability costs could rise.
- Reputational Damage: It’s hard to put a price tag on reputation, but an embarrassing cybersecurity failure can cause cataclysmic damage to an organization’s relationship with its clientele. Establishing trust is essential in healthcare, it’s something organizations spend millions of dollars on in order to build a reliable and positive reputation. A data breach can undo much of that work and force an organization to spend millions in rehabilitation.
- Patient Turnover: Patient turnover can create its own cost. If patients no longer trust you with their data or become frustrated with any resulting downtime, they might turn elsewhere for services. In short, a loss of trust can lead to a decline in patients and hurt an organization’s revenue.
Examples of Major Healthcare Breaches
There have been several high-profile breaches of healthcare organizations that illustrate the risks faced within the industry. Although it can be helpful to look at global averages, understanding how severely a breach impacts your industry puts things into a jarring perspective:
- Anthem Inc. (2015): Anthem Inc.’s breach was one of the largest ever in the healthcare sector. The breach impacted more than 78.8 million individuals. In the aftermath, Anthem faced class action lawsuits and ultimately settled them for $115 million.
- PharMerica and BrightSpring Health Services (2023): Hackers breached databases and were able to access records related to more than 5.8 million people. The accessed information included names, addresses, birth dates, Social Security numbers, medication information, and health insurance information. PharMerica notified affected individuals, offering complimentary credit monitoring and identity theft protection services for 12 months.
- Change Healthcare (2024): The Change Healthcare cyberattack developed over the last year and continues to unfold. The breach began in February with an attack that disrupted the company’s ability to make payouts to doctors. The attack prevented UnitedHealth Group from processing claims, forcing some patients to pay for medication and treatments out of pocket. Some healthcare providers stated that they were losing up to $100 million a day in revenue. By April, Change Healthcare had advanced more than $6 billion to healthcare providers. Also, it was reported that UnitedHealth allegedly paid the hacker $22 million to recover their data, according to corroborated posts on a hacker forum.
Prevention is Worth the Investment
Healthcare data breaches cause wide-ranging and far-reaching consequences. The financial impact can be substantial, but the reputational damage and the time spent addressing the breach are nearly incalculable. It’s clear that healthcare executives should prioritize data protection and cybersecurity to mitigate these risks. The upfront investment is well worth it when considering the alternative.
Learn more about how you can prevent a data breach.