It is clear that the health care industry continues to be targeted with cyber-attacks. In 2018, the 10 largest health care breaches, outlined here, include unauthorized access to protected health information (PHI) through a vendor offering claims processing, ransomware incidents, successful phishing schemes, mailing PHI to wrong addressees, hacking, a misdirected email, and a lost unencrypted hard drive. Most of these might have been prevented through greater employee security awareness.
A report by Positive Technologies [view related post] indicates that, overall, cyber incidents have increased 32 percent in 2018 from 2017, including a 13 percent increase in data theft.
A new Ponemon study for IBM Security states that the average cost of a health care data breach is $408 per record, compared to a $206 per record for a financial services data breach. According to the study, the overall average cost of a data breach globally is $3.86 million, which is an increase of 6.4 percent over last year, although the average cost of a data breach in the U.S. was $7.91 million.
It is being reported that for the first time ever, Ponemon and IBM analyzed the costs of breaches involving more than one million records. The estimated cost is $40 million, which rises to $350 million if there are over 50 million records involved. Interestingly, the report states that the biggest cost of these huge data breaches is the loss of customers, which has never before been quantified. The study estimates that the loss of customers for a 50 million record breach costs $118 million.
Even more interesting to this writer is the conclusion that rushing to notify individuals of an incident before all of the facts have been obtained increases the cost of a data breach by almost $5 per record. With the new GDPR 72 hour breach notification, companies should be aware of the increase cost associated with issuing notices before all of the facts are known, which is likely to be the case if notifications are issued within 72 hours.