The cost of a healthcare data breach is $408, nearly three-times the cross-industry average, revealed in the 2018 Cost of a Data Breach Study: Global Overview, from IBM Security and the Ponemon Institute. The average cost per lost or stolen record across all sectors is $148, Ponemon gauged.

If you track cybersecurity and data breaches, Ponemon Institute is a go-to resource; I’ve discussed their research here in Health Populi on hacked medical information as a new-normal.

This is the eighth year in a row that healthcare organizations had the highest costs associated with data breaches per lost or stolen record. Ponemon recognizes that certain industries have higher data breach costs: more heavily regulated sectors such as financial services and healthcare have greater exposure compared with public sector, research, retail, and hospitality.

This 2018 report found the average cost of a data breach globally was $3.86 million, up 6.4% from 2017. The 2018 report also explores the concept of “mega-breaches” (very large scale events) for the first time, with data losses ranging from 1 million to 50 million records lost, resulting in financial losses of $40 million to $350 million.

There are many expenses incurred with a data breach beyond operational costs: namely, reputational damage and customer turnover, Ponemon notes in the 2018 report.

Health Populi’s Hot Points:  As I was reviewing the 2018 Ponemon data breach study, I received a brochure in the mail from a bank I deal with, NatWest. I scanned the cover of this document, shown here, advising me of, “New privacy rules mean you’re (“I’m”) in control of your (“My”) data.

The inside of this four-page booklet explained the new General Data Protection Regulation (GDPR) that changed privacy laws in the UK on 25th May 2018. The advice told me that, “the GDPR gives you more control over how your personal information is used,” further explaining how the bank will look after my information and streamline banking transactions.

I thought to myself, “hmm…when was the last time my health insurance plan, healthcare provider, or pharmacy benefit manager told me that I’d be ‘in control’ of my data?

Of course, the answer is that I’ve never heard that “in control of my data” scenario from any of the healthcare touch point organizations in my own healthcare life.

Aside from feeling like the shoemaker’s child with no shoes, the bigger picture is that most patients and consumers want to be in control of their healthcare data, and aren’t.

The only U.S. state which has a law asserting that patients own their electronic health records is New Hampshire.

Of New Hampshire’s state nicknames, my favorite is the “Switzerland of America.”

Aside from the obvious reference to Switzerland’s climate and topography, the country is also a healthcare leader with a modernized digital infrastructure, and provisions for patients to control access to their own information.

The epidemic rise of cybersecurity threats in U.S. healthcare further compromise consumers’ trust with the healthcare system. While healthcare executives are aware of these threats, patients, consumers and caregivers continue to wonder why they’re not in more control of their own data.

The emerging Privacy By Design movement is looking to bridge this gap, and I look forward to more healthcare stakeholders adopting this approach for both privacy/security and consumers’ experience.





2 Comments on The Cost of a Healthcare Data Breach is $408 Per Stolen Record, 3X the Industry Average

GK Palem said : Guest Report 4 years ago

Good article. GDPR emphasizes data protection, but unfortunately many of the existing Healthcare IT/EHR implementations are not compliant for such levels of protection. HL7 FHIR enables interconnected exchange of healthcare data - but does not have the secure by design philosophy, leaving the data-protection to the record keepers, which is a major security loop hole. One notable effort in this direction is the Patient-centric EHR systems, such as the Cenacle Blockchain based EHR, that employs "privacy by design" with patients owning the data, controlling the access, end-to-end security, privacy by default etc.. Closed Beta demo requests are welcome for interested parties. A generic public demo with limited features is available at:

Cindy Throop said : Guest Report 4 years ago

If I could add something to your article, I would add that the costs *to patients* are unknown, but that if rules around pre-existing conditions change, the costs would be [insert estimated amount]. I'm guessing that amount would exceed the cost to companies.

Leave a Reply

Your email address will not be published. Required fields are marked