United States

New report details data breach costs in the health care industry


Download The Report

With the increasing depth of patient and vendor data health care organizations must store and transmit, the industry has become a prime target for hackers and other cybercriminals. In order to effectively respond to emerging data security threats, companies must understand the nature of potential threats, where they originate and the true costs associated with a data breach.

RSM is a longtime sponsor of the annual NetDiligence® Cyber Claims Study, leveraging cyber liability insurance claim data to determine the actual cost of incidents from an insurer’s perspective. However, in April, NetDiligence published a deep-dive analysis of cyberrisk insurance claims in the health care sector to help identify the specific challenges facing the industry. The new RSM-sponsored NetDiligence Spotlight Healthcare report provides several key insights into the industry’s specific data breach threats and associated damages.


The report highlights many common issues faced by organizations in the health care sector. For instance, the study found that “approximately 63 percent of health care breaches were caused by criminal or malicious activity” with hacking as the most common cause of loss (20 percent).

It is no surprise that this industry is a prime target for attackers, and it isn’t that shocking that most breaches are caused by hacking. Few companies have more information, at a greater market value, on their customers than those in health care. We find that the health care industry, in general, has improved its security posture, maintaining environments better than many industries, but generally ranking behind financial services companies. For example, RSM was able to compromise health care companies approximately 40 percent of the time during external penetration tests. However, most health care companies recognize this risk, and are proactively working to protect against cyberattacks.


Surprisingly, ransomware accounts for only 10 percent of all health care claims, according to the NetDiligence report. Ransomware is often discussed in boardrooms and information technology (IT) security offices and has been a favorite topic for media outlets, but these findings indicate that focusing on ransomware alone may be a mistake.

High-visibility incidents like ransomware can sometimes take up a disproportionate percentage of security funding when those resources could be better spent guarding against incidents of high frequency and higher cost. Management should ensure that security investments are fortifying the required foundation of a quality program, not targeting individual threats such as ransomware.


The NetDiligence report highlights that breaches are far more costly for health care organizations than breaches in other industries. Key findings include:

  • While health care claims comprised 17 percent of claims in the overall 2017 claims data set, they represented 28 percent of total breach costs ($65 million of $229 million).
  • The average total crisis services costs for health care was more than three times higher than the average for all other sectors ($676,000 vs $204,000).
  • Credit and ID monitoring, and notification costs accounted for approximately 70 percent of health care breach costs.

Together, these findings suggest more than just the obvious (that costs in the health care industry tend to be high). The study also points toward the increasing portion of finances consumed by credit monitoring services.

When nearly three-quarters of breach costs go to these services rather than fines or lost revenue, it may be time for the industry to review why credit monitoring costs so much. Individual companies might want to shop around for better prices. In addition, perhaps health care organizations could band together at a national level to negotiate for better rates in a consortium model. Regardless, working closely with insurance carriers is critical to maintaining the lowest costs and ensuring the insurance plan activates.

There are many insights to be derived from this new health care-focused data breach study. Industry leaders and risk management professionals should review the 2018 NetDiligence Spotlight Healthcare report to understand the real costs of data insecurity as well as trends for where the health care sector may be headed in the future.


How can we help you?

Contact us by phone 800.274.3978 or
submit your questions, comments, or proposal requests.

Receive Risk Bulletin by Email


Cybersecurity Rapid Assessment®

Complete our Cybersecurity Rapid Assessment form to be contacted about receiving our "quick-hit" evaluation of your organization’s overall security risk.