Report: Data Breaches Could Cost U.S. Healthcare Providers Over $300 Billion

Over the next five years, healthcare providers that fail to make cyber security a strategic priority will potentially lose more than $300 billion of cumulative lifetime revenue, according to a new report by Accenture. The company predicts that one in 13 patients­ – approximately 25 million people – will have their medical and/or personal information stolen from healthcare provider’s digitized records between 2015 and 2019, including Social Security numbers and financial records. “What most health systems don’t realize is that many patients will suffer financial loss as a result of cyber attacks on medical information,” said Kaveh Safavi, M.D., J.D., and managing director of Accenture’s global healthcare business.

“If healthcare providers are complacent to safeguarding personal information, they’ll risk losing substantial revenues and patients as a result of medical identity theft.”

The report highlights that last year alone, nearly 1.6 million people had their medical information stolen from healthcare providers. In many of these cases, some victims of medical identity theft have unwittingly paid bills run up by others, or were forced to reimburse their insurers for fraudulent healthcare costs. Accenture estimates that 25 percent of patients impacted by healthcare provider data breaches over the next five years ­(more than 6 million people) will subsequently become victims of medical identity theft. Furthermore, 16 percent of impacted patients (more than four million people) will be victimized and pay out-of-pocket costs totaling a whopping $56 billion between 2015 and 2019. However, in other cases, healthcare providers with complacent security practices will bear the brunt of such consequences. According to a study on medical identity theft conducted by the Ponemon Institute earlier this year, almost half of patients said they would find a different provider if they were informed that their medical records were stolen. To prevent revenue loss on this scale, healthcare providers are urged to prioritize improvements of their cyber security in order to thwart attacks that aim to steal patient data from clinical and financial systems. Tim Erlin, director of IT security and risk strategy at Tripwire, says that organizations can lower the probability of successful attacks by implementing foundational controls.

"100% security isn’t a realistic goal, but making breaches more expensive for the attacker doesn’t require perfect security," said Erlin.

Erlin adds that healthcare organizations should take notice of these trends and develop their own plans for defense and response. Findings from the study were based on historical security breach data from the U.S. Department of Health and Human Services Office for Civil Rights to project the number of patients likely to be affected by healthcare provider data breaches up until 2019.