Problems with HIPAA Breach Cost Estimates

How is it possible to accurately calculate the necessary level of healthcare insurance cover and obtain the best priced healthcare insurance policies when there are so many problems with HIPAA breach cost estimates?

According to a recent article in Fortune, obtaining – or calculating – accurate data breach cost estimates is virtually impossible, with one lawyer contributing to the article saying its “black magic”. The truth is that no one knows how much a HIPAA data breach costs because there are simply too many uncertainties and variables.

The article was prompted by a previous investigation which determined that the actual cost to companies hit by data breaches “is trivial”. However, the answer to the question “How much does a HIPAA data breach actually cost?” is we simply do not know as there is not enough data, what data there is can be quite inaccurate.

There are many methods used to calculate data breach costs, with one of the most commonly used models being “cost-per-record” which has been used by the Ponemon Institute, among others, to calculate breach costs. The current figures are in the region of $201 per record, having increased from $188 in 2014 according to Ponemon.

Verizon has also attempted to calculate breach costs, and this year, in its eighth Data Breach Investigations Report it has done just that. Verizon sought assistance from NetDiligence, which provided important data on data breach insurance claims. With this hard data relating to insurance payouts on actual data breaches the researchers thought they would be able to calculate a more accurate figure for the cost per record, which they say is $0.58 per record; a number vastly different to the $201 per record figure calculated by the Ponemon Institute.

The Difficulty with HIPAA Breach Cost Estimates

The problem with the models used to calculate breach costs is they often overestimate the cost of large data breaches and underestimate the cost of smaller HIPAA breaches. Different methods are also used to analyze the data which can produce different costs estimates.

Applying the Ponemon method to data breaches appears to work perfectly well, but the model fails with larger security incidents, which is why the sample data is limited to breaches involving fewer than 100,000 records. The Premera BlueCross data breach, which involved the loss of 11 million records, would, using the Ponemon method, end up costing about $2.2 billion while the Target data breach would cost around $8 billion. The costs of the Premera breach are not known, although according to Fortune, Target has spent approximately 100 million on the data breach – or 0.1% of its total sales. Certainly not the 10% of its top line that $8 billion would represent.

The Verizon report also contains inaccuracies as insurance policies have limits on payouts. When the costs exceed the cover by the policy, errors will be introduced. Verizon admits that its figures will be influenced by this and other variables, such as it being able to calculate OCR and other fines as well as the eventual payouts – if any – from civil claims for damages. Verizon researchers have admitted that their cost estimate is no good, while pointing out that other models are also flawed.

Until there is more accurate data released by companies on the true cost of HIPAA breaches and this data is included when calculating HIPAA breach cost estimates, the figures are always likely to be flawed. In the meantime, your HIPAA breach is likely to cost somewhere between 58 cents a record and $201 a record. However, it may cost more or less.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of