Healthcare Technology Featured Article

July 16, 2019

Healthcare Data Breaches: The Intangible Costs

Over the past several years, healthcare data breaches have resulted in the loss, theft, unauthorized access, impermissible disclosure, or improper disposal of millions of healthcare records. Last year alone there were 18 major data breaches. Eight of those saw more than half a million healthcare records exposed, while three exposed more than one million healthcare files. Healthcare data breaches cost an average $408 per record, the highest of any industry for the eighth straight year and nearly three times higher than the cross-industry average of $148 per record.

While calculating the financial cost of healthcare data theft is a relatively easy exercise in forensic accounting, the theft of sensitive healthcare-related information and data comes with costs other than customer turnover and operational expenses. Often these are intangible and include damage to corporate reputation and the erosion of investor and consumer confidence.  

Harsha Gummadavelli

Just one example

For example, take the case of UnityPoint Health, which operates a network of hospitals, clinics and home care services in Iowa, Illinois and Wisconsin. On May 31, 2018, the company discovered that a phishing email attack had compromised its business email system and may have resulted in unauthorized access to protected health information and other personal information for some patients. In some cases, this included Social Security numbers, driver's license number, payment card or bank account numbers. In all, more than 1.4 million patients throughout the three-state UnityPoint Health system were affected by the phishing attack.

The company said in a public statement that upon learning of the attack, it had “informed law enforcement agencies and launched an investigation with an expert computer forensics firm to determine the size and scope of the attack, as well as the number of people potentially impacted.” Further, the company reported it had taken a number of “important steps intended to protect its systems and prevent similar situations from happening in the future.”  

Intangible costs of data breaches

While UnityPoint and other organizations that experienced financial loss resulting from data breaches, the intangible costs are more difficult to calculate. For example, a company’s professional reputation is something that is carefully crafted over time. It is both guarded and respected. However, when a data breach or data loss occurs, the accumulated good will is something that can easily fall through the company’s grasp. In this context, unless appropriate and effective proper steps are taken, the tarnish to a hard-won reputation can eventually lower the curtain on any company, no matter how large.

Second, every company has its own unique customer base. At the same time, it also has competitors who claim the capability of offering the same or similar services better served. Once a company loses the trust and confidence of its customers, it is extremely difficult to regain their loyalty.

Third, the loss of intellectual property is a significant factor when it comes to the intangible costs of data breaches. This loss can negatively impact a healthcare company’s competitive advantage as well as hamper the company’s ability to pursue new marketplace opportunities and extension of their contracts with existing customers.

Although the immediate financial cost of data breaches is calculable when it comes to the company’s short-term bottom line, the long-term financial well-being is much more difficult to assess. One of lesser known facts is that if the organization is an insured entity, it might possibly see an increase in its premium amounts or, worst case, could be denied an extension of its insurance coverage.

Knowing where the costs lie and how to reduce them can help companies invest their resources more strategically and lower the huge financial risks at stake. Implementing effective security mechanisms to prevent such breaches are themselves a useful way to maintain or regain confidence and rebuild a dented reputation.

Take a proactive approach

According to business consultancy, Deloitte, there are several questions that any critical examination of an existing data security system should address. These include answering key questions such as:

  • Where is it possible to reduce the number of people with access to IP?
  • Where are the most vulnerable links in the routine handling and protection of IP?
  • Is the company’s data management/protection strategy sufficient and well understood?
  • Are cyber monitoring capabilities aligned and prioritized to detect threats against the company’s most strategic IP assets, including fully leveraging private sector-government cyber threat sharing capabilities?
  • IF the company’s innovation ecosystem extends to partners, suppliers or third parties, have controls and policies been appropriately extended beyond corporate borders?
  • Are well-meaning researchers or developers knowledgeable about the company’s security capabilities?

These questions cut to the core and clearly illustrate that the effective, proactive protection of potentially vulnerable healthcare data is not just a technical utility but a function of human awareness. The answers lead to a step-by-step process to protect and reduce cyber risks.

In short, a preventative, proactive, rather than reactive, approach is essential to the successful security of healthcare data. These essentials include systems, procedures and technology. At the same time, it is critical for everyone involved throughout the entire life cycle of the data to be made aware of their essential role in guarding that data from pillage by cyber intruders. In this way, the well-known negative effects of tangible breaches (regulatory fines, investigations and post-breach analysis and protection) and the lesser known costs of intangible damage (reputation, marketplace position, customer trust, intellectual capital) of data breaches or cyberattacks can be mitigated.

About the Author: Harsha Gummadavelli is a Senior Architect at a leading cloud data management company, specializing in implementing data protection software for organizations across the globe. He has worked with a number of Fortune 500 companies and has garnered vast experience specifically working with healthcare clients to enhance their data protection programs. He can be reached at [email protected].

Edited by Maurice Nagle
Get stories like this delivered straight to your inbox. [Free eNews Subscription]
By Special Guest
Harsha Gummadavelli, Senior Architect ,


FREE eNewsletter

Click here to receive your targeted Healthcare Technology Community eNewsletter.
[Subscribe Now]