Healthcare data breaches cost $7.42M on average. And take 279 days to contain.

The structural answer is that healthcare records carry a much richer payload than the data classes other sectors hold. A complete patient record contains name, address, date of birth, social security number, insurance ID, payer information, prescription history, diagnosis codes, provider notes, and frequently next-of-kin information. On underground markets that combination has historically priced at $250 to over $1,000 per record, against roughly $5 for a stolen credit card. The economic asymmetry is the foundation of every other cost driver.

The regulatory regime amplifies the underlying data sensitivity. The HIPAA Security Rule and Breach Notification Rule require covered entities to notify each affected individual, notify the Department of Health and Human Services Office for Civil Rights, and (for breaches affecting 500 or more individuals) notify prominent local media. The notification obligation alone produces a per-record letter cost of around $1 to $3 plus call-centre support of $20 to $80 per call handled. For a breach affecting 100,000 patients, baseline notification cost runs $200K to $400K before any regulator engagement.

Patient-care disruption is the most expensive line item that does not appear on a balance sheet until weeks later. When ransomware encrypts an electronic health record system, every patient appointment scheduled in that EHR has to be triaged manually, every prescription verified by paper chart, every insurance authorization rebuilt by phone. The ripple cost shows up across multiple cost categories: lost business (procedures rescheduled to competitors), post-breach response (overtime clinical staff), and detection-escalation (forensic and compliance investigation that has to run in parallel with the recovery operation). The Change Healthcare incident in 2024 illustrated this with brutal clarity, as the inability to process pharmacy claims left independent pharmacies and small medical practices unable to operate for weeks.

IBM publishes per-record cost by data type, not by industry: $178 for intellectual property, $168 for employee PII, $160 for customer PII, and $115 for anonymized data in 2025. There is no IBM-published healthcare per-record figure. Scaling the $160 customer-PII baseline by healthcare's cost ratio against the global average (7.42 / 4.44) produces a modeled estimate of roughly $267 per PHI record, an estimate, not IBM data. Whatever unit figure is used, it aggregates detection, notification, post-breach response, and lost business; it is not a market price for stolen data, and it is not the cost paid by the affected patient.

The premium over other sectors reflects the long-tail liability of PHI exposure rather than transient market conditions. Stolen credit-card numbers can be replaced within days of detection. A stolen genome or HIV diagnosis cannot be retracted, and HIPAA's notification and credit-monitoring obligations bind regardless of whether the data is ever monetised.

For practical estimation, any per-record figure is most reliable when applied to mid-volume breaches of roughly 10,000 to 100,000 records, the range IBM actually studied (2,960 to 113,620 records in the 2025 report). Below 10,000 records the fixed cost of forensics and legal counsel dominates, pushing effective per-record cost into the thousands. Above roughly 100,000 records, fixed-cost amortisation takes over; mega-breaches at the 100 million record scale typically show per-record cost in the $5 to $25 range, even though the totals are immense. Use the homepage calculator to model your specific record count instead of applying a unit figure as a flat multiplier.

The HHS Office for Civil Rights is the principal federal enforcer of HIPAA. OCR maintains a public breach portal, frequently called the "Wall of Shame", listing every healthcare breach of 500 or more individuals. The OCR Breach Portal is the single most useful public dataset for benchmarking healthcare breach scale against your peer cohort. Resolution agreements that include monetary penalties are published as enforcement highlights on the OCR website.

HIPAA penalties operate on a four-tier civil monetary penalty structure introduced under the HITECH Act and adjusted annually for inflation. The tier structure effective 28 January 2026 is: Tier 1 (lack of knowledge, $145 minimum to $73,011 per violation), Tier 2 (reasonable cause, $1,461 to $73,011), Tier 3 (willful neglect, corrected, $14,602 to $73,011), and Tier 4 (willful neglect, not corrected, $73,011 to $2,190,294 per violation). Under OCR's 2019 enforcement discretion (still in effect), the per-calendar-year cap differs by tier ($36,506, $146,053, $365,052 and $2,190,294) rather than applying a single $2.19M cap to all four. Multiple distinct violations from a single incident can stack, which is how OCR settlements regularly reach mid-eight-figure totals.

Beyond OCR civil penalties, healthcare entities face state attorney-general actions that frequently exceed the federal penalty by an order of magnitude. The Anthem 2015 breach attracted a $39.5M multistate AG settlement on top of OCR's $16M HIPAA penalty (then a record) and $115M class-action settlement, for a total cost north of $260M. State AGs have grown more aggressive each year, with California, New York, and Texas leading volume.

Across IBM's 2025 dataset, the capability with the largest verified cost difference is security AI and automation deployed extensively: $3.62M average breach cost versus $5.52M without, a $1.9M gap. The top factors in IBM's 2025 cost-factor analysis follow: DevSecOps approach (-$227K), AI/ML-driven security insights (-$224K), SIEM (-$212K), threat intelligence (-$212K), encryption (-$208K), and employee security training covering phishing recognition and data-handling discipline (-$192K). IAM, including MFA enforcement on every account, especially clinical-staff and contractor accounts (-$190K), remains the highest-return control on a dollar-per-dollar basis because the implementation cost is so low and compromised credentials remain a top-four initial vector.

Healthcare-specific overlays that compound the generic controls: network segmentation between clinical and corporate networks limits ransomware blast radius; encryption at rest with documented key-management practice insulates against safe-harbor exposure under most state breach notification laws; tabletop exercises that include the clinical leadership team (not only IT and security) materially reduce the response time for the patient-care components of the incident.

On the prevention pricing side, see PenetrationTestingCost.com for healthcare pen-test pricing benchmarks, PCIComplianceCost.com for the card-data side of healthcare billing operations, and EDRCost.com for endpoint detection pricing in clinical environments.