Study: Hospitals dramatically increase ad spend following data breaches

Determining the actual cost of a data breach is difficult and often leads to heated discussions in security circles. How do you determine how many customers who left (following a breach) wouldn’t have left anyway? Perhaps they already were upset with the organization for some other reason. How do you know if a sales decline should be directly attributed to a recent breach or to some other factor? And, if sales increased after a data breach, did the data breach perhaps slow the acceleration of sales? It’s tough trying to separate fact from fiction in these scenarios. This is why it can be so hard to determine the total cost of a data breach, even though many of those costs are more easily quantified, such as investigation costs, clean-up and fines.

When it comes to security in the healthcare industry, there’s an additional factor that I hadn’t considered. It turns out, according to research from Sung J. Choi and M. Eric Johnson, advertising costs increase substantially for hospitals following a data breach.

DevOps Connect:DevSecOps @ RSAC 2022

According to the Health Information Technology for Economic and Clinical Health (HITECH) Act, hospitals covered by the Health Insurance Portability and Accountability Act (HIPAA) must report data breaches that expose more than 500 individuals. They must make these disclosures to those affected of course, but also to Health and Human Services (HHS) and sometimes the media.

Not surprisingly, disclosing such a breach is a public relations nightmare. According to the Choi and Johnson’s study, Understanding the Relationship Between Data Breaches and Hospital Advertising Expenditures, breached hospitals significantly increased their advertising expenditures for two years following the event. It seems repairing a damaged reputation due to a data breach comes at a considerable cost.

In their analysis, the researchers found that breached hospitals spend nearly three times more on advertising than hospitals that haven’t been breached. “The breached hospitals spent nearly 3 times more on advertising than the control hospitals (approximately $688,000 vs $238,000 for annual spending; $1,713,000 vs $551,000 for 2-year spending),” the study found. The study also found that breached hospitals were more likely to be larger in bed size (565.60 vs 291.49), more likely to be a teaching hospital (77.4% vs 41.7%), and higher in occupancy rate (69.11% vs 57.62%).

The researchers concluded that minimizing data breaches could reduce healthcare costs overall, and that repairing a breached hospital’s image and minimizing patient loss to competitors are potential drivers of the increased advertising spending. “Regardless of the motivation, breach response adds financial burden to hospitals and the healthcare system. Advertising and the efforts to fix the damages from a data breach increase healthcare costs and may divert resources and attention away from initiatives to improve care quality. Advertising costs subsequent to a breach are another cost to the healthcare system that could be avoided with better data security,” the researchers concluded.

*** This is a Security Bloggers Network syndicated blog from Cybersecurity Matters – DXC Blogs authored by Cybersecurity Matters. Read the original post at: