Marsh & McLennan Advantage Insights logo
Conversations and insights from the edge of global business
Menu Search

BRINK News is transitioning to This Moment platform on as of March 31, 2023. Read the update here.


Healthcare Industry Losing Average of $2.2 Million per Data Breach

A majority of healthcare organizations recently surveyed have experienced multiple data breaches, with estimated losses averaging more than $2.2 million per breach over the last two years.

“No healthcare organization, regardless of size, is immune from data breach,” the report said. The report looked at healthcare organizations and their business associates.

Perhaps more troubling is the finding that, despite an increase in the frequency of these data breaches, “many organizations lack the money and resources to manage data breaches caused by evolving cyber threats, preventable mistakes and other dangers,” the report said.

These data breaches are “increasingly costly and frequent,” the report said, “and continue to put patient data at risk.” The report estimates that data breaches could be costing the industry $6.2 billion annually.

“Probably the crown jewel of confidential information across all industries is your health record,” Larry Ponemon, founder of the Ponemon Institute (which conducted the study), previously told BRINK. “Not only does it contain your physiological factors and health conditions and pharmaceuticals you take, but it also contains payment information like your health ID or, if you co-pay, your debit or credit card might be on file.”

A Ponemon Institute study found that stolen credit card data sold at auction on the Internet’s black market averaged 33 cents. Meanwhile, complete healthcare records sold for an average of $251.

Despite the skyrocketing losses and persistent risk, about half of all the organizations surveyed said they have “little or no confidence that they can detect all patient data loss or theft,” the report said.

Half of all data breaches were due to criminal attacks, the leading cause of healthcare data breaches, while 13 percent were attributed to a malicious insider. In 2016, denial-of-service, ransomware and malware were the cyber attacks that most concerned healthcare organizations. Meanwhile, employee negligence was considered the greatest threat when dealing with data breaches.


Many healthcare organizations and business associates are negligent when handling patient information, the report found. Although external threats continue to dominate, internal “mistakes”—unintentional employee actions, third-party snafus and stolen computing devices—“are equally a problem and account for a significant percentage of data breaches,” the report said, adding that 36 percent of healthcare organizations and 55 percent of business associates named unintentional employee actions as a cause of data breaches.


The recent spate of big healthcare data breaches has increased awareness of the issue within the industry, the report said, “resulting in more focus” on security practices and “implementing the appropriate policies and procedures.” But it’s not enough. According to the report, “half of these organizations still don’t have the people or the budget to detect or manage data breaches.”

More than half (54 percent) of respondents said their organizations have technologies in place to thwart or quickly detect unauthorized access to patient information, loss or theft. That figure is up five points from last year’s survey. Some 37 percent said their organizations have resources to prevent or quickly detect unauthorized access to patient data, loss or theft, which is a four-point increase from last year.

Get ahead in a rapidly changing world. Sign up for our daily newsletter. Subscribe