What is the average cost of a healthcare data breach in 2025?

IBM's 2025 Cost of a Data Breach Report puts the healthcare sector at $7.42M average per breach, down from a 2024 peak of $9.77M. The per-record cost is $408. The figures cover the 16 sectors IBM tracks across 604 organizations in 17 countries, with the healthcare cohort representing roughly 15% of the sample.

Why is healthcare the most expensive sector for data breaches?

Three reasons compound: PHI sells for $250 to over $1,000 per record on underground markets versus around $5 for a stolen credit card, so attackers prioritize healthcare targets; HIPAA mandates extensive notification, regulator engagement, and credit-monitoring offers that incur cost regardless of the attack outcome; and patient-care disruption when EHR systems are encrypted creates operational losses that ripple through lost business and post-breach response categories. The combination has held healthcare at rank #1 for 15 consecutive years.

How much is the per-record cost in healthcare?

IBM 2025 puts the per-record cost at $408 for healthcare, the highest of any sector. It compares to $228 financial services, $196 technology, $142 retail, and $134 government. The figure aggregates detection, notification, post-breach response, and lost business components and divides by total compromised records. It is most reliable for mid-volume breaches of 10,000 to 1M records. Mega-breaches show lower per-record cost due to fixed-cost amortisation, and small breaches show higher per-record cost due to fixed cost dominance.

What HIPAA penalties apply to a breach?

HIPAA penalties operate on four tiers under the HITECH Act, inflation-adjusted annually. As of 2025: Tier 1 (lack of knowledge) $137 to $68,928 per violation, Tier 2 (reasonable cause) $1,379 to $68,928, Tier 3 (willful neglect corrected) $13,785 to $68,928, Tier 4 (willful neglect not corrected) $68,928 to $2,067,813 per violation. The annual cap for identical violations is approximately $2.07M. Distinct violations stack, which is how OCR settlements reach mid-eight-figure totals.

What was the largest healthcare data breach by cost?

Change Healthcare in 2024 is the largest by cost, currently estimated at $2.45B and still accruing. UnitedHealth disclosed the figure in its Q2 2024 earnings release and reaffirmed it in subsequent 10-Q filings. The breach affected 190M individuals and disrupted US healthcare claims processing for months. The next largest is Anthem 2015 at approximately $260M total, followed by 23andMe at roughly $400M when including bankruptcy and market-cap erosion.

How long does a healthcare breach take to detect?

IBM 2025 puts the global mean time to detect a breach at 241 days, with healthcare slightly above the global average at around 250 days. The Premera breach went undetected for 9 months. Change Healthcare was detected within hours but the data exfiltration had already occurred. The single most effective control on detection time is MFA enforcement on all administrative and remote-access accounts, which reduces credential-theft dwell time materially.

What is the per-patient cost of credit monitoring after a healthcare breach?

Commercial credit monitoring offered to breach victims runs $10 to $30 per person per year at retail pricing, with bulk enterprise pricing around $4 to $12 per person per year for one-year terms. Most healthcare class-action settlements require two years of credit monitoring plus identity-restoration support, with per-class-member economic value typically $30 to $80. See the credit monitoring cost page for vendor-specific pricing detail.

Sector File 03.HC / HealthcareHIPAA / HITECH15 consecutive years at rank #1

Sector profile

Healthcare data breaches cost $7.42M on average. Per record, $408.

IBM's 2025 healthcare figure is $7.42M, down 24% from the 2024 peak of $9.77M but still 67% above the global $4.44M average. The per-record cost of $408 is the highest of any tracked sector. Healthcare has held rank #1 every year since IBM began sector-level reporting in 2011, the longest unbroken streak in the dataset.

Avg total cost

$7.42M

IBM CODB 2025, healthcare

Per record

$408

Highest of any sector

YoY change

-24%

Down from 2024 $9.77M peak

Years at #1

Since IBM sector tracking began

Section HC.1

Why healthcare costs three times what retail costs

The structural answer is that healthcare records carry a much richer payload than the data classes other sectors hold. A complete patient record contains name, address, date of birth, social security number, insurance ID, payer information, prescription history, diagnosis codes, provider notes, and frequently next-of-kin information. On underground markets that combination has historically priced at $250 to over $1,000 per record, against roughly $5 for a stolen credit card. The economic asymmetry is the foundation of every other cost driver.

The regulatory regime amplifies the underlying data sensitivity. The HIPAA Security Rule and Breach Notification Rule require covered entities to notify each affected individual, notify the Department of Health and Human Services Office for Civil Rights, and (for breaches affecting 500 or more individuals) notify prominent local media. The notification obligation alone produces a per-record letter cost of around $1 to $3 plus call-centre support of $20 to $80 per call handled. For a breach affecting 100,000 patients, baseline notification cost runs $200K to $400K before any regulator engagement.

Patient-care disruption is the most expensive line item that does not appear on a balance sheet until weeks later. When ransomware encrypts an electronic health record system, every patient appointment scheduled in that EHR has to be triaged manually, every prescription verified by paper chart, every insurance authorization rebuilt by phone. The ripple cost shows up across multiple cost categories: lost business (procedures rescheduled to competitors), post-breach response (overtime clinical staff), and detection-escalation (forensic and compliance investigation that has to run in parallel with the recovery operation). The Change Healthcare incident in 2024 illustrated this with brutal clarity, as the inability to process pharmacy claims left independent pharmacies and small medical practices unable to operate for weeks.

Section HC.2

Per-record economics: what $408 buys you in cost

IBM's per-record figure of $408 is an aggregate of every cost the breached organisation incurred, divided by the number of compromised records. It includes detection and forensic investigation, notification, post-breach response activities such as credit monitoring and identity-protection enrolment, and the lost-business component covering customer churn and reputation damage. The figure is not a market price for stolen data, and it is not the cost paid by the affected patient. It is the per-record financial exposure carried by the breached entity.

The healthcare per-record cost has held above $400 for three consecutive IBM reports (2023, 2024, 2025), making it the most stable indicator in the dataset. Compared to other regulated sectors the gap is consistent: financial services sits at $228, technology at $196, retail at $142, government at $134. The persistence of the premium reflects the long-tail liability of PHI exposure rather than transient market conditions. Stolen credit-card numbers can be replaced within days of detection. A stolen genome or HIV diagnosis cannot be retracted.

For practical estimation, the per-record figure is most reliable when applied to mid-volume breaches of 10,000 to 1 million records. Below 10,000 records the fixed cost of forensics and legal counsel dominates, pushing effective per-record cost into the thousands. Above 1 million records the per-record cost declines because notification scale produces fixed-cost amortisation. Mega-breaches at the 100 million record scale typically show per-record cost in the $5 to $25 range, even though the totals are immense. Use the homepage calculator to model your specific record count instead of applying the $408 figure as a flat multiplier.

Section HC.3

OCR HIPAA enforcement: the regulator side of the bill

The HHS Office for Civil Rights is the principal federal enforcer of HIPAA. OCR maintains a public breach portal, frequently called the "Wall of Shame", listing every healthcare breach of 500 or more individuals. The OCR Breach Portal is the single most useful public dataset for benchmarking healthcare breach scale against your peer cohort. Resolution agreements that include monetary penalties are published as enforcement highlights on the OCR website.

HIPAA penalties operate on a four-tier civil monetary penalty structure introduced under the HITECH Act and adjusted annually for inflation. The current 2025 tier structure published in the Federal Register is approximately as follows: Tier 1 (lack of knowledge, $137 minimum to $68,928 per violation), Tier 2 (reasonable cause, $1,379 to $68,928), Tier 3 (willful neglect, corrected, $13,785 to $68,928), and Tier 4 (willful neglect, not corrected, $68,928 to $2,067,813 per violation). The cap per identical violation per calendar year is approximately $2.07M. Multiple distinct violations from a single incident can stack, which is how OCR settlements regularly reach mid-eight-figure totals.

Beyond OCR civil penalties, healthcare entities face state attorney-general actions that frequently exceed the federal penalty by an order of magnitude. The Anthem 2015 breach attracted a $39.5M multistate AG settlement on top of OCR's $16M HIPAA penalty (then a record) and $115M class-action settlement, for a total cost north of $260M. State AGs have grown more aggressive each year, with California, New York, and Texas leading volume.

Section HC.4

Notable healthcare breaches and what they cost

Change Healthcare (UnitedHealth), 2024

190M records / ALPHV/BlackCat ransomware / Citrix portal credential

$2.45B+

Change Healthcare processes 15 billion healthcare transactions a year for UnitedHealth. In February 2024 the BlackCat ransomware affiliate gained access through a Citrix portal that lacked MFA, then exfiltrated 190 million patient records and encrypted core claims-processing systems. UnitedHealth paid a $22 million ransom that did not prevent later extortion by an affiliate. The cost figure of $2.45 billion comes directly from UnitedHealth Q2 2024 disclosure and was reaffirmed in subsequent 10-Q filings. The remediation, third-party assistance, customer support, and direct response costs continue accruing into 2026.

Primary source: UnitedHealth Group Q2 2024 earnings release and 10-Q filings, 2024-2025.

Anthem (Elevance Health), 2015

78.8M records / Spear-phishing / No encryption at rest

$260M+

Anthem disclosed the largest healthcare breach of its era in February 2015 after a state-sponsored intrusion (later attributed by the FBI to China) accessed names, SSNs, dates of birth, employment, and income data for 78.8 million members and former members. Anthem agreed to a $16M OCR HIPAA settlement in 2018, a $115M class-action settlement in 2017, and a $39.5M multistate AG settlement in 2020. Total disclosed cost reached approximately $260M, with internal remediation costs adding tens of millions more.

Primary source: OCR press release 15 October 2018; class-action settlement order, In re Anthem Inc. Data Breach Litigation; California AG announcement 30 September 2020.

Premera Blue Cross, 2014

11M records / Custom malware / 9-month dwell time

$74M

Premera disclosed in March 2015 that custom malware deployed on its network in May 2014 had accessed PHI for 11 million members. Detection took 9 months. Premera resolved OCR's investigation with a $6.85M HIPAA settlement and paid $74M in class-action and multistate AG settlements over the subsequent five years.

Primary source: OCR HIPAA enforcement settlement 25 September 2020; multistate AG announcement 11 July 2019.

23andMe, 2023

6.9M records / Credential stuffing / DNA Relatives exposure

$400M+

23andMe combines healthcare cost dynamics with the unrecoverability of genetic data. The October 2023 breach used credential stuffing against accounts that lacked MFA, then chained the DNA Relatives feature to enumerate linked profiles, ultimately exposing 6.9M users. A $30M class-action settlement was approved in 2024, but the brand damage was unrecoverable. 23andMe filed for Chapter 11 bankruptcy in 2025, attributing operating losses in part to the breach. The total economic impact, including market-cap erasure from peak valuation, exceeded $400M.

Primary source: 23andMe SEC 8-K filings, Q4 2023; class-action settlement order Northern District of California, 2024; Chapter 11 filing 2025.

Section HC.5

What healthcare-specific controls actually move the cost

Across IBM's 2025 dataset, the controls that produce the largest verified savings for healthcare entities are incident-response team retainer (around $2.66M average saving), AI and security automation deployed extensively (around $1.90M saving), employee security training that covers phishing recognition and basic data-handling discipline ($1.50M), and Zero Trust architecture ($1.50M). MFA enforcement on every account, especially clinical-staff accounts and contractor accounts, produces an $800K saving and is by far the highest-ROI control on a dollar-per-dollar basis.

Healthcare-specific overlays that compound the generic controls: network segmentation between clinical and corporate networks limits ransomware blast radius; encryption at rest with documented key-management practice insulates against safe-harbor exposure under most state breach notification laws; tabletop exercises that include the clinical leadership team (not only IT and security) materially reduce the response time for the patient-care components of the incident.

On the prevention pricing side, see PenetrationTestingCost.com for healthcare pen-test pricing benchmarks, PCIComplianceCost.com for the card-data side of healthcare billing operations, and EDRCost.com for endpoint detection pricing in clinical environments.

Cross-references

Case / Change Healthcare 2024

→

$2.45B cost analysis with attack-vector breakdown and timeline.

Case / Anthem 2015

→

$260M total: $115M class action, $39.5M state AG, $16M OCR.

Regulation / HIPAA penalties

→

Four-tier penalty structure, OCR enforcement, $2.07M annual cap.

Cost / Per record

→

$408 for PHI vs $134 for government records, full sector table.

Cost / Credit monitoring

→

$10-$30 per affected person per year, settlement-driven enrollment.

Index / All industries

→

All 10 IBM sectors ranked from healthcare to retail.

Schedule F / Reference Q&A

Frequently Asked Questions

Primary source:Healthcare sector cost figures from IBM Cost of a Data Breach Report 2025. HIPAA enforcement data from HHS OCR. Notable breach totals from publicly disclosed SEC filings, OCR resolution agreements, and class-action settlement orders.