What is Your Data Worth? The Cost of a Healthcare Data Breach

It is difficult to argue that technology has not improved our lives and businesses in many ways. On the other hand, it’s just as difficult to argue that technology advancements are not without some very serious risks. IBM’s 2019 Cost of a Data Breach Report illustrates the fact that the healthcare industry is the most expensive industry in which to experience a data breach. It can be catastrophic to a healthcare provider, hospital system, or healthcare service provider. No industry is immune, and prevention and detection require constant attention from humans as well as technology. In IBM’s report, the average cost of a data breach is $3.9 million.  However, the healthcare industry exceeds all other industries by 65% at $6.45 million average total cost per data breach. Unfortunately, that means that a data breach can often cripple or even close a small to medium-sized business.

Costs are affected by the type of industry, the cause of the breach and the cost of notifying patients and regulatory authorities. Heavily regulated industries like finance and healthcare face potential fines and increased reporting requirements. A cost that is difficult to quantify, though, is the potential loss of new business as well as existing patients/customers during and after a breach. Small businesses must rely on other companies or consultants like IT support and attorneys, which can cause response times to drag as well as increase overall cost. The residual impact of a data breach can be felt for up to two years after its occurrence.

Safety Measures

It can be overwhelming to think about the many components that might keep your practice safe from a breach and recovering from one when it happens. For small businesses, three things that will have the greatest impact on prevention, detection, and mitigation are 1) employee training, 2) encryption of data in transit and saved on servers, and 3) a contingency plan. Set a date to review the plan with key employees at least once per year. It should also be reviewed when any technology or facility changes occur.

It is human nature to avoid thinking about and planning for unpleasant events, but a good plan of prevention, detection, and mitigation is well worth the investment when one happens.


The rise of ransomware and its increased impact on small to medium-sized organizations can keep most business owners and security professionals awake at night. Ransomware is a form of malware where a hacker gains access to a business’s data, encrypts it, and demands payment for the access code for the organization to recover the data. The outcome is never certain, though. Even if the ransom is paid, many hackers still steal and/or delete the victim’s data, rendering all of the victim’s data lost. In many cases that data is its most valuable asset.

The U.S. Department of Health and Human Services (HHS) reports that 58% of malware victims are small businesses. HHS advises that in the event of a ransomware attack, DO NOT turn the computer off or unplug it.  DO disconnect it from your network and internet connection.  The reason for this is so that valuable forensic information can be retained on its hard drive. If a computer is connected wirelessly, disable the Wi-Fi.  Go to your computer’s settings or find the wireless icon in your toolbar.  If the computer is connected by an ethernet cable, disconnect the cable from the machine. Ethernet cables are usually blue and look like a large phone connector.

Preventative measures are an effective antidote. Regularly back up your practice’s data. Test it with your IT support to be sure that it can be restored without error in the event of a disaster or ransomware attack. Ensuring employees are aware of the ways an attacker might gain access to your practice’s systems can also reduce the likelihood of a security incident or data breach. The most effective defenses include reminding employees to avoid clicking on links, downloading attachments in emails, and to verify that a recipient of protected health information is legitimate before sending.