The Security Scrutinizer with Howard Anderson

Breaches: Assessing the Economic Impact

Study Estimates the Cost of Incidents

What's the economic impact of information breaches? The Ponemon Institute, a research organization, makes an educated guess that the impact averages more than $2.2 million every two years for healthcare organizations.

See Also: OnDemand | What’s Old is New Again: Protecting Yourself From Check Fraud

But how did the institute come up with that figure? Researchers extrapolated it from the results of a small survey. Ponemon conducted detailed interviews with executives at 72 healthcare organizations that opted into the institute's second annual benchmark study, sponsored by ID Experts. Ponemon used its proprietary database of 481 organizations to reach out to potential participants.

More than half of organizations surveyed say they have little or no confidence that their organization could detect all patient data loss or theft. 

In the interviews, executives were asked to describe the economic impact of data breach incidents experienced by their organization over the past two years, choosing from eight ranges. The most common answer, selected by 26 percent, was $200,001 to $500,000. Another 22 percent selected $1 million to $10 million. Using "an extrapolation method," researchers estimate that the average two-year cost per organization is $2.25 million.

Whether you buy into that figure or not, it's clear that the economic impact of breaches is substantial. And this survey, like many others, shows that not enough is being done to detect and prevent breach incidents. For example, more than half of organizations surveyed say they have little or no confidence that their organization could detect all patient data loss or theft.

Breach Survey Results

Here are other highlights from the study:

  • On average, organizations surveyed have had four data breach incidents in the past two years, up from three in last year's study.
  • The average number of lost or stolen records per breach is 2,575, up from 1,769 in the previous study.
  • The top three causes for a data breach are lost or stolen computing devices, third-party mistakes and unintentional employee action.
  • Insufficient budgets and inadequate risk assessments are cited as the two greatest breach prevention weaknesses.
  • Some 81 percent of those surveyed use mobile devices to collect, store or transmit patient information, but 49 percent say they're doing nothing to protect these devices.

About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.