In my last few posts, I wrote about causes of HIPAA breaches and the possible course of a compliance agreement. ( “The Most Detailed and Costly Compliance Agreement You Are Ever Likely to See” , “Seven Noteworthy HIPAA Breaches & the Recent Enforcement Actions” , “The Seven Most Likely Causes of Major HIPAA Breaches” , “The Five Most Likely Types of Major HIPAA Breaches” ) A basic question though is how much does a data breach cost in dollars and cents?

I am reasonably certain that as with all statistical matters, depending on how you skew the numbers, there can be vastly different results. I recently came across a report by the Ponemon Institute/IBM dated May 2015, which deals with global data breaches (not restricted to healthcare and/or HIPAA breaches) which I believe is both timely and highly informative.

Some of the key findings of this report indicate that there has been a 23% increase in the total cost of data breaches since 2013 (understanding that this 2015 report represents 2014).

The simple study of 350 companies dealt with data breaches. The average cost of a breach increased from $3.52 to $3.79 million during a one year period.

An interesting finding was that 79% of C-level US and UK executives surveyed said that executive level involvement is necessary to achieve an effective incident response to a data breach and 70% believe that board level oversight is critical. The reason I point out this factoid is that too many small to medium companies approach HIPAA compliance (which to me is really a subset of the need for data security) with the belief that outsourcing compliance is enough.

All of the participating companies experienced a data breach ranging from a low of approximately 2,000 to slightly more than 100,000 compromised records. For the purposes of this study, a compromised record was one that identified the individual whose information was lost or stolen in a data breach. A breach was defined as an event in which an individual’s name plus a medical record and/or financial record or debit card is potentially put at risk. (Obviously, the report did not deal with the 19 identifiers relating to HIPAA.)

Malicious or criminal attacks were 47% of the root causes as opposed to 42% a year earlier, and similarly the report shows an increased cost from $159 to $170 per record. The cost is highest in the United States, with an average of $230 per record.

The smaller the breach the greater the likelihood, and apparently, the higher the cost per record.

Costs relating to detection increased as well from $0.76 million to $0.99 million. The costs included forensic and investigative activities, assessment and audit services, crisis team management and communications to executive management and board of directors.

The cost of the data breach ranges by industry, and while the average is $154, the average cost for a healthcare organization is $363.

The cost can vary based on the initial safeguards put in place.

While notification costs are relatively low, the cost associated with lost business is increasing.

The general attitude of NIMBY (Not in my backyard) seems to be a common mindset with small to medium Covered Entities (CEs) and/or Business Associates (BAs) – this only happens to the other guy. The threat of a data breach is real.

In communication I had with the FBI Cyber Crime and US Attorney prosecutors, the question they pose is not IF you will have a breach, but rather WHEN you will have a breach. The key is preparation and implementing safeguards.

When virtually every company surveyed had a breach of some size, it is fair to assume that this mindset (even absent the significant regulatory issues) is misguided.