Research Hub > The Cost of a Data Breach for Healthcare Organizations

The Cost of a Data Breach for Healthcare Organizations

Whether it's a stack of stolen paper files from a clinic or an exposure of millions of electronic patient records at a major hospital system, every data breach comes at a cost to patients, to healthcare providers and to quality care overall.

The Urgency of Improved Security

Consider this: PHI (protected health information) for half the population of the United States has been impacted by breaches since 2009.1 And while that’s already an astounding number, from all appearances breaches aren’t likely to slow down anytime soon.

Whether it’s a stack of stolen paper files from an ambulatory clinic or an exposure of millions of electronic patient records at a major hospital system, every data breach comes at a cost — to patients, to healthcare providers and to quality care overall.



An individual healthcare record brings up to $50 on the black market, 10 times as much as a stolen credit card number.2

  • Device theft
  • Device tampering 
  • Error/lost devices 
  • Misdelivery of information 
  • Disablement of internal controls 
  • Malware 
  • Weak server/network password 
  • Misplaced backup disks 
  • Illegally copied paper files 
  • Insider access/breach 
  • Phishing 
  • Network hacking


Hacks cost the healthcare industry about $6 billion a year.2

Financial nightmare. From legal costs to credit protection fees, cyber insurance premiums to lost revenue from bad press and fleeing patients, and even compliance violation fines — the financial cost of a data breach can be staggering. Reporting the breach, alerting patients and documenting the occurrence also come at a high cost. When all costs are added together, they can range from thousands to millions for individual entities, and billions for the industry as a whole.

Ruined reputation. Any breach over 500 individuals means a healthcare organization must alert the media.3 The result is often hard-to-overcome damage to the healthcare entity’s image and reputation, leaving a long, hard road to change public opinion from a PR perspective and earn back public trust.

Loss of patient trust. Loss of patient trust has the greatest impact — even more than public trust. In an era where hospitals must compete to attract patients in the first place, a data breach causes far-reaching ripples in the patient landscape. 

Compliance violations. Both HIPAA and HITECH address PHI security standards. Penalties and fines for violating HIPAA and HITECH security standards and notification regulations, should a breach occur, could range from $100 to millions of dollars. 


Each hacked record could cost a hospital around $20 in legal costs and credit protection.2


Financial woes. Unlike fraudulent credit card charges, fraudulent healthcare charges using a patient’s stolen information typically fall to the patient to resolve, whether those are actual healthcare fees or fees for remediation of the theft itself. Patients could be on the hook for thousands of dollars.

Identity struggles. With all advances come drawbacks. In the case of EHRs, once data is entered, it can’t be removed. That means once someone has stolen a patient’s identity and used it to gain treatment, the false information marries with the patient’s real health history, leading to a permanent file corruption and potential adverse health risks when seeking future care.

Loss of trust in providers. It’s the old adage, “Fool me once, shame on you; fool me twice, shame on me.” Once there’s been a records breach, patients naturally lose trust in their provider. Some may leave to find a new doctor or health system altogether, and may tell friends and family to do the same. It’s a tough spot to be in — having a doctor you love within a healthcare organization you can no longer count on to keep you safe.

Keeping secrets. Recent studies have found that people are withholding information — sometimes critical information — from healthcare providers because they’re concerned there could be a confidentiality breach of their records. This is not only a potential issue for the treatment of a specific patient, there are also potential public health implications. An unwillingness to fully disclose information could delay the diagnosis of a communicable disease.1

The 2014 per-capita cost of a data breach was far higher for healthcare than for any other sector of the economy:3


Healthcare organizations


Financial services companies


Consumer products organizations



Multifaceted security threats demand a multilayered security approach. CDW Healthcare can help you determine the right mix of data and network protection solutions to create a platform to better guard against breaches and hacks. This includes technologies that span:

  • Authentication
  • Data loss prevention
  • Mobile security
  • Encryption
  • Threat prevention 
Jeremy Weiss, CDW Healthcare Security
Solution Architect Team Lead

Q: What’s the No. 1 security concern you’re
hearing from healthcare organizations?

A: It’s twofold. First, it’s user provisioning
(the ability to get staff up and running quickly)
and deprovisioning (if staff changes, the ability
to get them off the system and audit it).
Second, it’s advanced persistent threats and
phishing. With compliance becoming more
strict, keeping users and data secure is top
of mind for 2016.

Q: When crafting a data security plan, what are
the biggest steps most providers overlook?

A: One is educating users. It’s crucial that
all users understand how they impact the
organization from a security standpoint.
Another is having a data security incidence
response plan. Many organizations are missing this
piece of the security puzzle. When a breach does
happen, knowing what can potentially be lost and
being able to audit and control against it is crucial.


CDW Healthcare can provide the services to help ensure your healthcare organization stays on top of security measures to better protect patients and their valuable data:

Security Assessment

Security assessments encompass mobile security, endpoint security, risk assessment and compliance/threat prevention. We’ll conduct a targeted security analysis and network review, then design, configure and install a tailored security solution to help ensure patient data and the portal itself are secure.

DLP Risk Assessment

We help you determine how sensitive data is currently being used and who needs to have access to it, and then match data loss prevention enforcement to your security policy to ensure compliance.

Advanced attacks are more coordinated than ever before. Now, your defenses are, too. Sophos Security Heartbeat™ is revolutionizing security by synchronizing next-generation network and next-generation endpoint security, giving you advanced protection.

Browse Sophos Solutions

Is your data vulnerable to an attack?
Find out with a CDW Threat Check, or call us at 800.500.4239

1., “Shedding Some Light on the Problem of Medical Data Loss,” December 2015
2., “Billions to Install, Now Billions to Protect,” June 2015
3., “Five Questions to Ask Before Your Next Healthcare Data Breach,” 2015

You May Also Like

White Paper
What Is GDPR, and How Does It Affect Retailers?

A major regulation went into effect this year to govern how organizations that do business in the European Union handle data. Here's what you need to know.

Why a Risk-Based Approach Yields Effective Security

A holistic assessment of threats and vulnerabilities helps an organization appropriately prioritize and mitigate its risks.

Smarter Security Addresses Evolving Threats

Artificial intelligence and data analytics are improving the performance of endpoint security solutions.