Headlines about data breaches are all too common recently, with large companies like Target and Home Depot experiencing large-scale data breaches. The healthcare industry was hit particularly hard in the past few years, with organizations like Anthem Inc. and St. Joseph Health System, to name but two, suffering massive health data breaches.
Many of these organizations are still calculating the cost of these data breaches; Anthem is currently engaged in a class-action lawsuit with the affected patients affected and St. Joseph recently agreed to pay $7.5 million to the victims of its 2013 breach. When considering the cost of a healthcare breach, however, organizations must look beyond the obvious direct costs and also consider the long-term and perhaps less direct costs, especially lost revenue, brand value, and patient loyalty. In this installment of Protenus’ Cost of a Breach series, we take a closer look at the costs associated with lost revenue and brand value due to patient or customer attrition. Although these indirect costs can be harder to calculate than the direct ones, such indirect costs often outweigh any other individual cost an organization incurs in the wake of a data breach.
Direct and Indirect Costs of a Breach
The total cost of a health data breach can be divided into two main categories: direct and indirect costs. Direct costs are any costs that can be traced directly back to a data breach. These include the cost of conducting a forensic investigation, notifying affected patients, handling lawsuits, and paying any fines as a result of the breach. In our previous posts, Cost of a Breach: Forensics and Notification and Cost of a Breach: Lawsuits, we detail more about the direct costs of a breach.
Indirect costs, on the other hand, are any costs that do not seem to be directly related to a breach, but can still be traced indirectly back to it. These include lost revenue and brand value resulting from increased patient churn in the aftermath of a health data breach.
The Single Most Costly Aspect of a Data Breach
Although the direct costs of a breach are high, indirect costs still represent a significant part of the total cost of a data breach and often linger long after the direct costs have ended. In fact, the single biggest cost an organization will face as a result of a breach is lost business. Looking across multiple industries, an organization can expect to lose approximately $3.97 million due to customer losses, “reputational losses and diminished goodwill.” Compare this to the Ponemon Institute’s estimation that a healthcare organization will spend $610,000 on forensics, and it quickly becomes clear that the cost of lost revenue and brand value outstripsany other individual cost associated with a data breach.
Furthermore, the indirect costs of a breach are even more expensive in fields that are highly-regulated, such as healthcare and financial services. The fines and higher customer attrition in these fields mean that an organization can expect to spend more money and lose more customers in the wake of a breach than in other industries. Healthcare organizations, in particular, experience high rates of customer churn due to the sensitive and personal nature of the information involved. Customer churn increases by 6.7% in the wake of a healthcare breach. This number is over three times what a retail company can expect to experience in the aftermath of a breach (2.2%). Looking at the cost from a different angle, the Ponemon Institute states that lost revenue and brand value will equal approximately 40% of the total cost of a healthcare data breach. Clearly then, these indirect costs should be a significant concern for healthcare organizations.
One Approach to Mitigate Risk
The benefits of investing in proactive patient privacy analytics extend far beyond merely saving an organization from the direct costs of a hospital data breach; it also helps protect an organization’s brand value and prevent customer loss by improving the hospital’s security posture with regards to patient privacy. In a survey of customers who had been a victim of a data breach, Ponemon Institute found that 54% of respondents said that nothing an organization could do would prevent them from discontinuing their relationship with that organization. Similarly, a study by the fraud prevention company Semafone found that the vast majority of customers–whether or not they were victims of a breach–would not do business with a company that had suffered a breach. Organizations that have a robust patient privacy analytics program in place can prevent affected customers from leaving, while at the same time attracting new customers because of its emphasis on keeping their patients’ data safe. Within a competitive environment, with far-ranging choice for many patients, it becomes a differentiator, a badge of pride, for the hospital systems who are efficiently and effectively protecting ePHI within their systems.
By investing in a proactive patient privacy analytics platform, organizations lessen the risk of reputational damage and see the benefit of being perceived by current and prospective customers as leading the way on patient privacy.
Download our Cost of a Breach white paper to learn all of the potential costs associated with a healthcare data breach.