Healthcare takes the crown for most expensive data breaches…again

There are some titles we fight for, and some that we’d rather leave behind. The healthcare industry has had its fair share of the latter in recent years, including being one of the worst places for burnout, one of the most inefficient systems for producing quality results, and one of the most expensive sectors of the economy overall. 

This year, healthcare can celebrate (?) retaining another one of these accolades: keeping its top spot on the list of the industries with most expensive data breaches – a medal it has won every year since 2011, according to the latest research from IBM and the Ponemon Institute which evaluated the impact of data breaches across 17 industries in 16 global regions. 

In a sample of data breaches occurring between March 2023 and February 2024, the average cost of a healthcare cybersecurity incident topped $9.77 million, the research found.  

Crucially, however, the survey window did not include the extraordinarily massive Change Healthcare cyberattack or the recent CrowdStrike event, the costs of which will no doubt blow these averages out of the water in next year’s assessment.  

Still, the $9.77 million figure far exceeds the cross-industry global average of $4.88 million in 2024, which is itself a 10% jump up in costs from 2023. Data breaches have been getting more expensive every year since 2018, although new technologies, including artificial intelligence, are helping reduce the time it takes to identify and contain a breach. 

Other key finding from the research include: 

• Costs from lost business and post-breach response rose nearly 11% from 2023 to 2024.  These costs include revenue lost to downtime, loss of customers, and reputational damage, as well as after-breach impacts such as credit monitoring services and fines.  

• Malicious attacks made up only 55% of identified data breaches. The remaining 48% were caused by IT failures or human error, reinforcing the importance of ongoing training and education for all staff. 

• A third of breaches involve “shadow data” stored across multiple environments, making these events harder to identify, control, and contain. Shadow data theft was associated with a 16% greater cost of a breach. 

• The mean time to identify and contain a breach was 258 days in 2024, representing a 7-year low. Breaches involving stolen or compromised credentials took an average of 292 days to identify and contain – the longest time period of any attack vector. 

• Full recovery from an attack takes about 100 days, with 70% of businesses experiencing significant disruption to basic operations during this period.  

• Two-thirds of organization said they are deploying AI and automation across their security infrastructure, with about 20% using AI across all four categories of prevention, detection, investigation, and response. This is leading to a $2.2 million reduction in average breach costs among the most mature organizations.  

• More than half of organizations reported significant staffing shortages, and even the 20% of entities using generative AI tools to make up for the shortfalls don’t have enough resources to adequately cover their needs. 

With data breaches getting more sophisticated and more frequent with each passing year, healthcare organizations need to remain vigilant if the industry is ever to relinquish its top spot on the list. 

IBM and Ponemon suggest that organizations frequently reassess their information landscape and be fully aware of where data is stored, who has access to it, and what safeguards are in place to ensure its security. The organizations also recommend continued investment in AI-driven cybersecurity tools to automate the detection of weaknesses, monitor threat vectors, and identify suspect activities as quickly as possible. 

Along with continuous training for staff members and enhanced efforts to secure the most qualified cybersecurity professionals available, these activities can reduce the likelihood of devastating and expensive data breaches in healthcare and beyond. 

Jennifer Bresnick is a journalist and freelance content creator with a decade of experience in the health IT industry.  Her work has focused on leveraging innovative technology tools to create value, improve health equity, and achieve the promises of the learning health system.  She can be reached at jennifer@inklesscreative.com.