The Cost of a Healthcare Data Breach

April 1, 2021
April 1, 2021

In an earlier post about healthcare data security, HealthStream wrote about how “Greater awareness and the institution of tighter healthcare security measures has not done much to discourage the efforts of criminals to gain access to private information. Security breaches in healthcare continue to be common headaches for organizations across the map. If anything, hacking techniques have become more sophisticated and complex as a result. Healthcare security needs to take note and respond.”

A healthcare data breach is accompanied by serious costs, whether financial in terms of fines and legal judgments, as well as the cost of administering the training required by a corporate integrity agreement (CIA). This blog post looks at some of this costs, why breaches commonly occur, and what to do about them.

What Healthcare Systems Are Most Susceptible to Security Breaches?

According to Health IT Security, 500+ healthcare organizations reported breaches of more than 500 patient records to the Department of Health & Human Services during the first 10 months of 2020, a rise of 18% over the prior year. They add that “Hacking and IT incidents remained the biggest cause of healthcare data breaches, accounting for 69 percent of reported incidents—an 8 percent increase from 2019. The second leading cause was unauthorized access, which caused 20 percent of all breaches.”

While network server attacks are rising, “Email continues to be the most common attack vector leveraged in attacks on healthcare providers, despite the prevalence of ransomware.” Breaches linked to business associates are also increasing. The same article warns that vigilance is especially merited during “weekend and holidays, which are the most common attack timeframes (when fewer staff members are working).” Organizations should implement “anti-ransomware solutions and routine training for employees on malicious emails and common phishing tactics.”

Fierce Healthcare offers, “Within the healthcare industry, 50% of breaches were the result of a malicious attack, 27% of breach incidents were caused by human error, and 23% were caused by a system glitch.”

Recent Healthcare Data Security Breaches

Reporting about the top 10 healthcare data security incidents, HealthcareITNews offers  that “not every security incident was caused by major ransomware attacks, of course. Some costly breaches were caused by much more mundane activities, such as improperly disposed materials or employee snooping.” In addition, “More than 10 million individuals were affected by the breaches in the top 10 list alone.”


Individuals Affected


Trinity Health

3.3 million

ransomware attack

Inova health

1 million

ransomware attack

Magellan Health

1 million

ransomware attack

Dental Care Alliance

1 million


Luxottica of America


online scheduling application breach

Northern Light Health


ransomware attack

Health Share of Oregon


stolen laptop

Florida Orthopaedic Institute


ransomware attack

Elkhart Emergency Physicians


improper file disposal



unauthorized access


The Myriad Costs of a Healthcare Data Security Breach

According to Fierce Healthcare, “A healthcare data breach comes with a hefty price tag—to the tune of $7.13 million on average. That's up more than 10% from last year, when the average data breach cost healthcare organizations $6.45 million, according to IBM Security’s 2020 data breach cost report. Healthcare organizations continue to have the highest costs associated with data breaches, according to the report, which looked at more than 500 data breaches that occurred last year across 17 industries.”

In addition, while smart technology focused on data automation and collection can limit the costs of a breach, “healthcare companies have a low rate of adoption for these technologies. Only 23% of healthcare organizations have fully deployed security automation tools.” Enacting practical data security measures can have a big impact for healthcare.

A healthcare data security breach can also have serious non-financial impacts. These include:

Employee Productivity – healthcare professionals in IT and elsewhere may find that they are devoting more time to security and less on improving healthcare. For those in administration, notifications of those whose information is affected takes significant time and resources. Likewise, retraining everyone about improving security can involve serious employee hours spent away from providing care.

Organization Reputation – media alerts can create significant unwanted, negative attention for a healthcare organization. Repairing reputation after a breach can take significant time and effort.

Personal impacts – breaches can end careers and divert productive employee hours. Patient care cand be affected as well.

HealthStream’s compliance training solutions help healthcare organizations across the care continuum comply with government regulations and accrediting body requirements while developing and engaging staff.  In addition to providing essential tools and training to help you remain compliant, we help analyze your training data and provide insight into your training initiatives—enabling you to measure compliance progress, identify outstanding challenges, and determine where to make compliance program improvements.  Our innovative educational content, data solutions, and tools are recognized throughout healthcare as the industry standard for comprehensive and engaging compliance training.