Cost per record: $408 for PHI, $134 for government.

Source: IBM Cost of a Data Breach Report 2025. Per-record cost is calculated by IBM as total breach cost across the four cost categories (detection-escalation, notification, post-breach response, lost business) divided by the number of records exposed.

Beyond the per-industry split, IBM tracks per-record cost by the type of data exposed. The 2025 figures are:

The PHI figure of $408 is a sector-level number rather than a data-class number, reflecting the unique combination of regulatory burden, data sensitivity, and notification cost that applies to healthcare records specifically. PHI exposed at a non-healthcare entity (rare but possible, for example employee occupational-health records at a non-healthcare employer) is closer to the customer-PII figure of $160 than the healthcare-sector figure of $408.

For payment-card data, IBM reports the per-record cost as part of the retail and financial-services sector figures rather than as a distinct data class. The implied per-record cost for card-data-only breaches is approximately $142 (the retail sector figure), reflecting the relatively short useful life of stolen card data and the established PCI DSS remediation framework that produces predictable cost.

The per-record figure is most reliable for mid-volume breaches in the range of approximately 10,000 to 1 million records. Within this range the per-record cost behaves as a stable multiplier and is the right number to use for back-of-envelope breach-cost estimation. Below the lower bound and above the upper bound the relationship breaks down for different reasons.

For breaches below approximately 10,000 records, fixed costs dominate. The cost of forensic investigation does not scale linearly with record count: a forensic engagement for a 1,000-record breach still requires a minimum of $50K-$200K. The cost of legal counsel is similarly fixed at the lower end. The cost of regulator notification is a per-event cost rather than a per-record cost. The result is that effective per-record cost for small breaches can run into the thousands of dollars even though the per-record sector figure is much lower.

For breaches above approximately 1 million records, fixed-cost amortisation reduces the effective per-record cost materially. Mega-breaches at the 100 million record scale typically show effective per-record cost in the $5-$25 range. The Yahoo breach (3 billion records, approximately $470M total cost) implies a per-record cost of approximately $0.16, far below any sector benchmark. The Change Healthcare 2024 breach (190 million records, $2.45B+ total cost) implies a per-record cost of approximately $13, again well below the $408 PHI sector figure. The amortisation effect is real and material at scale.

The per-record cost has trended upward over the past decade, with healthcare PHI rising from approximately $355 in 2015 to $408 in 2025 (a 15% increase, well below CPI growth over the same period). Customer PII has risen from approximately $146 to $160 (10% increase). The relative stability of per-record cost over time, against a backdrop of dramatic growth in total breach cost, reflects the simple arithmetic: breach record counts have grown faster than per-record cost has risen, so total cost growth is largely driven by scale rather than unit cost.

The 2024-2025 healthcare per-record figure was unusual. The 2024 figure was approximately $434, a 6% jump from 2023. The 2025 figure of $408 represents a partial reversal. The volatility in healthcare specifically reflects the impact of the Change Healthcare incident on the sector denominator: with 190 million records exposed in a single 2024 incident, the per-record cost arithmetic shifted materially. The 2026 IBM report (when published) will probably normalise the figure further.

For breach-cost budget planning at a typical mid-market organisation (10,000 to 1 million records held), the per-record cost is the right starting point. For a healthcare provider holding 100,000 patient records, baseline breach exposure is $408 x 100,000 = $40.8M. For a financial-services firm holding 500,000 customer records, baseline exposure is $228 x 500,000 = $114M. For a retailer holding 2 million customer records (slightly above the upper bound, so apply 70-80% amortisation), baseline exposure is $142 x 2,000,000 x 0.75 = $213M.

The figures above are central estimates. Cyber-insurance underwriters typically apply 70-130% range around the central estimate to account for breach-specific factors: detection time (longer detection raises cost), attack-vector severity (ransomware adds 14%, insider threats add 11% per IBM 2025), control posture (extensive AI/security automation saves $1.9M, MFA enforcement saves $0.8M), and incident-response readiness (incident-response team retainer saves $2.66M). For a fully-loaded estimate that accounts for these factors, use the homepage calculator rather than applying the per-record figure as a flat multiplier.

For organisations holding fewer than 10,000 records, the per-record figure is misleading. Use the SMB cost-range data on the small-business page instead, which is calibrated for the fixed-cost-dominated regime.