Skip to main content

Data Breaches Cost Hospitals $4B Annually

Analysis  |  By Jack O'Brien  
   November 04, 2019

Provider organizations are expected to struggle to protect healthcare data in 2020, according to a Black Book survey.

The total cost of data breaches at healthcare organizations is projected to reach $4 billion by the end of 2019, according to a Black Book survey released Monday morning.

Nearly all information technology (IT) professionals at provider organizations believe that data hackers are outpacing organizational efforts to protect sensitive healthcare data, a trend which is expected to worsen in 2020. 

Ninety-three percent of healthcare organizations reported a data breach in the past three years and 57% of respondents said their respective organizations experienced more than five data breaches over the same period of time. 

For 2019, respondents estimated that data breaches cost organizations $423 per record.

Additionally, provider organizations continue to be the most targeted organizations for cyberattacks, according to Black Book, accounting for nearly 80% of attacks. Respondents indicated that over half of data breaches were caused by an external party.

Related: Cybersecurity is Top Issue for Hospital IT Professionals, Creating New Workforce Dynamics

There have been several high-profile data breaches at hospitals around the country in recent months, including a breach in mid-June at Massachusetts General Hospital that affected nearly 10,000 people and a "data security incident" at Presbyterian Healthcare Services that affected around 183,000 patients.

Most recently, DCH Health System had to temporarily stop accepting patients due to a malware attack that affected its computer systems.

Related: Health Insurers Make It Easy for Scammers to Steal Millions. Who Pays? You.

Despite the rise of cyberattacks on hospitals in recent years, most IT professionals said that budgets have not increased to keep up with the demands to protect patient data.

For hospital IT budgets, cybersecurity accounts for 6% of the annual spend but provider organizations have onlyt set aside less than 1% of their fiscal year 2020 budgets for cybersecurity.

The Black Book survey also pointed to a lack of focus from hospital leadership on overseeing cybersecurity decision-making, with only 4% of organizations implementing a steering committee to account for cybersecurity investments. Just over one-fifth of hospitals reported having a "dedicated security executive," while only 6% reported having a leader with the title of 'Chief information security officer.'

Related: What One Hospital Learned From a Ransomware Attack

Jack O'Brien is the Content Team Lead and Finance Editor at HealthLeaders, an HCPro brand.

Get the latest on healthcare leadership in your inbox.