The cost of a healthcare data breach is $408, nearly three-times the cross-industry average, revealed in the 2018 Cost of a Data Breach Study: Global Overview, from IBM Security and the Ponemon Institute. The average cost per lost or stolen record across all sectors is $148, Ponemon gauged.

If you track cybersecurity and data breaches, Ponemon Institute is a go-to resource; I’ve discussed their research here in Health Populi on hacked medical information as a new-normal.

This is the eighth year in a row that healthcare organizations had the highest costs associated with data breaches per lost or stolen record. Ponemon recognizes that certain industries have higher data breach costs: more heavily regulated sectors such as financial services and healthcare have greater exposure compared with public sector, research, retail, and hospitality.

This 2018 report found the average cost of a data breach globally was $3.86 million, up 6.4% from 2017. The 2018 report also explores the concept of “mega-breaches” (very large scale events) for the first time, with data losses ranging from 1 million to 50 million records lost, resulting in financial losses of $40 million to $350 million.

There are many expenses incurred with a data breach beyond operational costs: namely, reputational damage and customer turnover, Ponemon notes in the 2018 report.

Health Populi’s Hot Points:  As I was reviewing the 2018 Ponemon data breach study, I received a brochure in the mail from a bank I deal with, NatWest. I scanned the cover of this document, shown here, advising me of, “New privacy rules mean you’re (“I’m”) in control of your (“My”) data.

The inside of this four-page booklet explained the new General Data Protection Regulation (GDPR) that changed privacy laws in the UK on 25th May 2018. The advice told me that, “the GDPR gives you more control over how your personal information is used,” further explaining how the bank will look after my information and streamline banking transactions.

I thought to myself, “hmm…when was the last time my health insurance plan, healthcare provider, or pharmacy benefit manager told me that I’d be ‘in control’ of my data?

Of course, the answer is that I’ve never heard that “in control of my data” scenario from any of the healthcare touch point organizations in my own healthcare life.

Aside from feeling like the shoemaker’s child with no shoes, the bigger picture is that most patients and consumers want to be in control of their healthcare data, and aren’t.

The only U.S. state which has a law asserting that patients own their electronic health records is New Hampshire.

Of New Hampshire’s state nicknames, my favorite is the “Switzerland of America.”

Aside from the obvious reference to Switzerland’s climate and topography, the country is also a healthcare leader with a modernized digital infrastructure, and provisions for patients to control access to their own information.

The epidemic rise of cybersecurity threats in U.S. healthcare further compromise consumers’ trust with the healthcare system. While healthcare executives are aware of these threats, patients, consumers and caregivers continue to wonder why they’re not in more control of their own data.

The emerging Privacy By Design movement is looking to bridge this gap, and I look forward to more healthcare stakeholders adopting this approach for both privacy/security and consumers’ experience.