The annual Ponemon 2011 Cost of Data Breach Study has been released and it gives very good insight. The study looks at various costs of data breaches across industries such as media, retail, financial, healthcare and pharmaceutical. Let’s focus in on the costs of data breaches in the healthcare industry.
Overall the average cost of a data breach across all industries was $194 per record. The cost of a data breach in healthcare was $240 per record. Before we examine what makes up these costs, let’s look at some of the financial impact of a data breach.
# of records
The above chart shows the simple math calculation but does point out that the cost of a data breach gets into significant numbers pretty quickly. In the past you would need a truck to steal or lose 10,000 patient charts / records. Now a single lost backup tape with a few years of EMR data can easily contain 10,000 or more records.
Let’s take a look at what makes up some of the costs of a data breach.
One of the largest cost of a healthcare data breach is the lost revenue of patients / customers leaving due to the breach. The report looks at the abnormal churn of patient / customers.
Turnover of existing customers: The estimated number of customers who will most likely terminate their relationship as a result of the breach incident. The incremental loss is abnormal turnover attributable to the breach incident. This number is an annual percentage, which is based on estimates provided by management during the benchmark interview process.
Diminished customer acquisition: The estimated number of target customers who will not have a relationship with the organization as a consequence of the breach. This number is provided as an annual percentage.
The abnormal churn or turnover rate of customers / patients that leave due to a data breach is 4.2%. To put that into better perspective, the abnormal churn rate of a retail company was just 1.9% and the churn rate of a financial company (think credit card) was 5.6%. So it is safe to assume patients express their dismay over data breaches by leaving the organization / practice that was responsible for the breach.
In addition to losing revenue due to customers / patients leaving, other activities that make up the cost of a data breach include:
Detection and escalation costs. Costs associated with detection and escalation of the data breach event. Such costs typically include forensic and investigative activities, assessment and audit services, crisis team management, and communications to executive management and board of directors. As noted, average detection and escalation cost declined from its high of $455,304 in 2010 to $428,330 in the present study.
Notification costs. Costs associated with notification activities. Such costs typically include IT activities associated with the creation of contact databases, determination of all regulatory requirements, engagement of outside experts, postal expenditures, secondary contacts to mail or email bounce-backs and inbound communication set-up. This year’s average notification increased slightly from $511,454 in 2010 to $561,495. The highest notification cost over seven years was $662,269, which occurred in 2006. This increase could be attributed to the fact that more than 45 states have data breach notification laws and there are other regulatory requirements.
Post data breach costs. Costs associated with expost (after-the-fact) activities. Such costs typically include help desk activities, inbound communications, special investigative activities, remediation activities, legal expenditures, product discounts, identity protection services and regulatory interventions. Average ex-post response cost decreased from a seven-year high of $1,738,761 in 2010 to $1,505,049 in this year’s study. This finding suggests greater efficiencies but also could mean organizations in this year’s study are spending less on such remediation activities as offers of discounts or identity protection services.
Hopefully this gives you more insight into the real expenses of a patient data breach. As a quick calculation of risk, ask your IT department or company to tell you the amount of records in your EMR. Assume these records are being backed up onto tape or some form of media. In the event the tape or media is lost or stolen you should calculate your risk, Take the amount of records in the EMR and multiply that by $240 (note there may multiple records for a patient but this is a good back of the envelope calculation). You now have a good estimate of what your exposure is. The next step is to make sure none of those records are involved in a data breach.