How Much Healthcare Cybersecurity Breaches Really Cost

How Much Healthcare Cybersecurity Breaches Really Cost

According to IBM’s Cost of a Data Breach Report 2023, healthcare continues to be a prime focus for online criminal groups. The costs associated with data breaches in this sector are the most elevated across all industries and have experienced a continuous rise for the 13th consecutive year.

Healthcare data breaches come with a hefty price tag, standing out as one of the most expensive types of data breaches. While the average cost of a data breach across industries is $4.45 million, healthcare data breaches top the list with an average cost of $10.93 million.

As per data revealed by the Atlas VPN team, a staggering 87 million patients in the United States fell victim to information breaches in 2023. This figure is more than double the count from the previous year, wherein 37 million individuals had their data exposed. The information is derived from the U.S. Department of Health and Human Services Office for Civil Rights database. Health organizations are obligated to report any health data breaches affecting 500 or more individuals to the secretary, leading to the public disclosure of such incidents.

This article delves deeper into the multifaceted dimensions of Healthcare Cybersecurity Breaches, shedding light on vulnerable states, the types of data breaches, the most serious cases, penalties and fines and the importance of protecting healthcare organizations.

Vulnerability Across US States


California emerges at the forefront of vulnerability, with 43 healthcare organizations experiencing data breaches in 2023. The state’s extensive population and concentration of healthcare providers make it a prime target for cyber threats.

New York

Following closely, New York ranks second with 42 reported healthcare data breaches. Being home to one of the world’s largest cities, the state holds a substantial reservoir of valuable data, attracting the attention of hackers.

Texas, Massachusetts and Pennsylvania

Securing the third position, Texas has seen 38 healthcare entities fall victim to breaches. Other states in prominent positions include Massachusetts and Pennsylvania, with 31 and 30 breaches, respectively. The northeast, housing numerous top hospitals and research centers, becomes an appealing target for cybercriminals.

Noteworthy Exception: Vermont

A notable exception is Vermont, standing as the sole state with no reported healthcare breaches in 2023. The state’s modest population and absence of major cities may contribute to flying under the radar of sophisticated hackers seeking maximum rewards.

The intrinsic value of medical records, coupled with their sensitive nature, positions them as highly desirable targets for criminals. This underscores the imperative for the implementation of robust security standards. Patients have a right to trust that their most personal information is secure, and healthcare providers must prioritize data protection with the same gravity as patient care.

What types of healthcare data breaches are most common?

Thanks to HIPAA (Health Insurance Portability and Accountability Act), healthcare data breaches are now more transparent compared to other industries.

The Office for Civil Rights (OCR) makes these records public, revealing that the most common types of healthcare data breaches were:

  • Hacking and IT incidents: 555
  • Unauthorized access or disclosure: 113
  • Physical theft: 35
  • Improper disposal of records: 4

To meet OCR requirements, organizations must provide specific details about each incident. Hacking and IT incidents often stem from cyber attacks on the victim’s network server, with malware being a common method. These attacks accounted for 399 incidents, making up 56% of the total reported data breaches.

Major Healthcare Data Breaches

Healthcare data breaches, while often smaller in scale compared to other industries, can be significant due to the extensive personal and sensitive information they handle. The largest healthcare data breach in 2022 at OneTouchPoint affected 4.1 million people, illustrating the sector’s usual focus on local patients. However, healthcare organizations process substantial records, making breaches potentially more damaging to individuals.

The top five largest healthcare data breaches ever recorded are:

  • 78 million: Anthem
  • 11.5 million: Optum360
  • 11 million: Premera Blue Cross
  • 10.2 million: Laboratory Corporation of America Holdings
  • 9.3 million: Excellus Health Plan

Since January 2022, there have been 21 reported cases where healthcare firms compromised over one million records. Additionally, another 22 cases involved breaches exceeding 500,000 records.

HIPAA Data Breach Penalties and Fines

How Much Healthcare Cybersecurity Breaches Really Cost

The HIPAA Privacy Rule governs data protection in healthcare, with enforcement by the OCR. Breaches are classified into four tiers, ranging from unawareness to negligence, and fines are assessed “per violation.” The OCR has issued $65,658,440 in HIPAA fines over five years, including $2,170,140 in 2022. Notably, Oklahoma State University’s Center for Health Services paid $875,000 for a 2017 incident affecting almost 280,000 people.

  1. Tier 1: $100–$50,000 per violation
  2. Tier 2: $1,000–$50,000 per violation
  3. Tier 3: $10,000–$50,000 per violation
  4. Tier 4: $50,000 or more per violation

Backlogs in investigating security incidents are common globally, with 875 ongoing investigations, including 91 from 2022. State attorneys assist with HIPAA enforcement, emphasizing the challenges regulators face.

The Importance of Protecting Healthcare Organizations

To secure health data and prevent breaches, healthcare firms must prioritize staff awareness training, addressing the human element in cybersecurity. Phishing attacks and employee negligence can be mitigated through effective training.

However, the industry’s significant challenge lies in investing in cybersecurity and identity management technology. The 2022 HIMSS Healthcare Cybersecurity Survey indicates budget constraints, with a third of organizations reporting decreased or unchanged budgets. The sector allocates only 5% of its budget to cybersecurity, compared to the U.S. government’s 15% and the average organization’s 9.9%.

Given that 73% of healthcare providers still use legacy operating systems, vulnerable to cyber attacks, it’s crucial to reevaluate the industry’s cybersecurity approach. Investments in technology and identity management are vital for maintaining patient trust and reducing the growing costs associated with data breaches.

→ Ready to unlock the full potential of your IT infrastructure? Elevate your business with expert IT services! Schedule a free consultation with us, and let’s chart your path to digital success!

Read more articles on

Leave a Comment

Your email address will not be published. Required fields are marked *