Industry: Healthcare · Updated May 2026

Healthcare Incident Cost: What a Breach or Outage Actually Costs in 2026

Q: What is the average cost of a healthcare data breach?

The IBM Cost of a Data Breach Report 2025 puts the healthcare sector average at $7.42M per breach. Healthcare has held the highest per-breach cost of any industry for 14 consecutive years. The figure is approximately 67% higher than the cross-industry average of $4.44M.

Q: Why is healthcare so expensive when breached?

Three structural reasons. First, the protected health information (PHI) record value on the underground market is approximately 10x higher than payment card data because PHI cannot be cancelled and reissued. Second, regulatory exposure is heavier (HIPAA Security Rule, HITECH Act breach notification, plus state laws). Third, operational disruption to clinical systems can cost lives, which forces faster, more expensive recovery decisions including paid ransoms.

Q: What does ransomware on a hospital actually cost?

Beyond the ransom itself, downtime cost dominates. Sky Lakes Medical Center estimated $10M direct loss after their 2020 incident. Universal Health Services took a $67M hit on its 2020 ransomware. Common Spirit Health disclosed $150M in losses from its 2022 attack. The cost stack is: forensics, system rebuild, manual workflows during downtime, lost elective procedures, paid overtime, breach notification, lawsuits, and credit monitoring.

Q: How much does breach notification cost in healthcare?

HHS Office for Civil Rights requires notification of every affected individual in writing, plus media notification if the breach affects 500 or more residents of a state, plus notification to OCR. Per-affected-person cost ranges from $4 to $25 for postage, printing, and call-center capacity, plus $1.50 to $4 per month per person for credit monitoring (typically offered for 12-24 months). For a 100,000-record breach, notification alone runs $400K-$2.5M before any monitoring.

Q: What are the most expensive named healthcare incidents?

Anthem 2015 (78.8M records, $260M+ total cost including $115M settlement, $39.5M HHS settlement). Change Healthcare 2024 (UnitedHealth disclosed $872M in Q1 2024 alone, total estimated $2.45B+). Common Spirit 2022 (~$150M). Universal Health Services 2020 ($67M). These are the public-disclosure benchmarks against which less-public incidents triangulate.

$7.42M

Avg breach cost

14 yrs

#1 industry running

$2.57M

Mean ransomware recovery

$2.067M

HIPAA tier 4 annual cap

Healthcare is the most expensive industry for security incidents and has been since 2011. The IBM Cost of a Data Breach Report 2025 puts the average healthcare breach at $7.42M, roughly 67% above the cross-industry $4.44M global average. The structural drivers are not going away: protected health information sells for an order of magnitude more than payment card numbers because it cannot be cancelled, regulatory exposure under HIPAA is severe and getting tighter, and operational disruption to clinical systems carries patient-safety implications that change the economic decision tree during an incident.

The Cost Stack of a Healthcare Incident

The $7.42M IBM headline figure is an aggregate. Underneath it, a healthcare incident has four distinct cost layers and the ratio between them is different from any other sector. In financial services or technology, direct response costs and lost business roughly balance. In healthcare, regulatory and notification costs compound, and the patient-safety dimension forces decisions that no other industry has to weigh.

Cost Layer	Range (per major incident)	Why higher in healthcare
Detection and escalation	$1.5M-$2.5M	Industry mean dwell time of 213 days inflates this layer; per IBM CODB 2025 healthcare detection lifecycle is the longest of any sector.
Notification	$0.4M-$2.5M	HHS OCR requires individual written notification, media notification if 500+ in a state, and HHS notification within 60 days.
Post-breach response	$1.2M-$3M	Includes credit and identity monitoring (typically 12-24 months), legal defense, regulatory engagement, and PR.
Lost business and clinical disruption	$1.5M-$5M+	Cancelled elective procedures, ambulance diversions, manual chart workflows during EHR downtime, and patient churn.

Ranges triangulate the IBM CODB 2025 healthcare cohort against per-incident disclosures (Anthem, Universal Health Services, Common Spirit, Change Healthcare). Specific incidents may fall outside these bands.

HIPAA Penalty Math

Civil monetary penalties under HIPAA have four tiers, defined in the HITECH Act and adjusted annually for inflation by the HHS Office for Civil Rights. The 2024 inflation-adjusted figures (most recent Federal Register notice published before this site update) are below. These are per-violation amounts; a breach affecting 100,000 records can in principle trigger 100,000 violations of the same provision, capped annually.

Tier	Trigger	Per Violation	Annual Cap (per provision)
Tier 1	No knowledge of violation	$137-$68,928	$2,067,813
Tier 2	Reasonable cause, not willful neglect	$1,379-$68,928	$2,067,813
Tier 3	Willful neglect, corrected within 30 days	$13,785-$68,928	$2,067,813
Tier 4	Willful neglect, not corrected	$68,928 minimum	$2,067,813

Source: 45 CFR 102.3, as updated 17 October 2024 in 89 FR 83444. Figures rounded to nearest dollar.

In practice, the OCR has rarely taken individual violations to the per-violation cap. Most resolutions have come through a Resolution Agreement with a Corrective Action Plan and a single negotiated settlement amount. Notable examples: Anthem 2018 ($16M), Premera Blue Cross 2020 ($6.85M), Excellus Health Plan 2021 ($5.1M), and the 2023 Lifespan Health System settlement ($1.04M). The deterrent value sits in the size of those numbers, the audit obligations they bring, and the corrective-action timeline a CAP imposes for typically two to three years.

Ransomware in Healthcare: The Patient-Safety Dimension

Healthcare ransomware is its own discipline because the operational impact is binary in a way that no other sector matches. When an EHR, PACS, or pharmacy system is encrypted, clinicians fall back to paper, ambulances divert, elective procedures cancel, and lab results queue. Multiple peer-reviewed studies have found measurable increases in patient mortality during and immediately after hospital ransomware events. That changes the economic posture: hospitals with active ransomware are far more likely to pay because the alternative is not just revenue loss, it is patient harm.

The cost data tracks this dynamic. Sophos State of Ransomware in Healthcare 2024 reported a mean recovery cost of $2.57M, more than double the $1.27M figure from the prior year. Median ransom payments in healthcare in 2024 were $1.5M according to Sophos, and 67% of healthcare organisations attacked were hit, with 53% paying. The combination of high pay-rate and high recovery cost means healthcare is structurally more attractive to ransomware operators than other sectors.

Incident	Year	Disclosed Cost	Notes
Change Healthcare (UnitedHealth)	2024	$2.45B+	UnitedHealth Q1 2024 disclosure was $872M; updated 2024 estimate is $2.45B+; ALPHV/BlackCat ransom of $22M.
Common Spirit Health	2022	~$150M	Per the system's quarterly financial disclosures; affected 624 hospitals.
Universal Health Services	2020	$67M	Disclosed in 10-Q filings; Ryuk ransomware on 250+ facilities.
Sky Lakes Medical Center	2020	~$10M	Public statement from CEO; complete system rebuild required.
Anthem (data breach)	2015	$260M+	$115M class settlement, $39.5M state AG settlement, $16M OCR settlement; 78.8M records.

Figures are taken from public regulatory filings, official press statements, and consent-decree disclosures. Total true cost is typically higher than disclosed amount once long-tail litigation and reputational impact resolve.

The PHI Record Value Premium

A single PHI record on dark-web markets has historically traded for $250-$1,000 according to research from Trustwave SpiderLabs and the Verizon DBIR longitudinal data. The same record set as payment card data trades for $5-$30. The premium reflects three things. First, PHI cannot be cancelled and reissued the way a credit card can. Second, the demographic completeness of a healthcare record (full name, date of birth, address, social security number, insurance ID, medical history) enables long-running identity-theft and benefits-fraud schemes. Third, prescription-drug fraud and Medicare-claim fraud have a meaningful underground economy that pure-financial data cannot serve.

The economic implication for an incident response budget: per-record cost in healthcare is materially higher than in retail or finance. The HHS OCR Breach Portal, which publishes every breach affecting 500 or more individuals, shows healthcare breaches frequently affect millions of records per event. The OCR breach reporting tool is the canonical public dataset for healthcare incident frequency and scale.

Why Healthcare Detection Time Is the Longest of Any Industry

IBM CODB 2025 reports that healthcare has the longest detection-and-containment lifecycle of any industry tracked. The cross-industry mean is 258 days from breach to containment; healthcare runs higher, frequently above 280 days. The reasons are well documented and structural rather than competence-based.

Heterogeneous device estate. Hospitals run thousands of medical devices that are FDA-regulated software embedded in capital equipment. Patching schedules are vendor-controlled and slow. Devices stay in service for 10-20 years; many run unsupported operating systems.
Legacy clinical systems. Mission-critical EHR and ancillary systems were architected before modern security telemetry standards. Endpoint detection and response (EDR) coverage is uneven across clinical workstations.
Resource constraints. Provider IT budgets average around 4% of revenue, lower than financial services (around 7%) or technology (often 15%+). Security headcount per capita is correspondingly thin.
Operational risk aversion. Aggressive security controls (segmentation, MFA, conditional access) get rolled back when they slow clinical workflows. The risk calculus weighs downtime against breach risk and frequently favours availability.

Each additional day in the detection-and-containment lifecycle costs money. IBM CODB 2025 estimates that breaches contained in under 200 days cost on average $1.02M less than those over 200 days. For healthcare specifically, the dwell-time premium adds roughly $500K-$1.5M to the average incident cost relative to faster-detecting industries.

Cost-Reduction Levers That Actually Work in Healthcare

IBM CODB 2025 identified three controls associated with the largest reductions in average breach cost across the dataset. These translate to healthcare and we map the per-organisation investment range against the expected breach-cost reduction.

Control	Cost Reduction (IBM CODB 2025)	Healthcare Investment Range
AI and automation in security	-$2.22M avg	$200K-$2M/yr depending on scope (XDR/MDR with AI tier)
DevSecOps approach	-$259K avg	Integration into existing SDLC; mostly process cost, $50K-$300K consulting
Incident response team and tested IR plan	-$248K avg	$50K-$500K retainer + tabletop exercises 2-4x/year

For provider organisations, the highest-ROI investment is typically a managed detection and response (MDR) service with healthcare-specific tuning. The arithmetic: $300K-$800K/year for MDR against $7.42M expected loss-given-breach with industry mean breach probability of approximately 25-35% over a five-year window translates to a positive expected-value return even before counting CAP-avoidance and reputational benefit.

Frequently Asked Questions

What is the average cost of a healthcare data breach?

The IBM Cost of a Data Breach Report 2025 puts healthcare at $7.42M average per breach. Healthcare has held the highest per-breach cost of any industry for 14 consecutive years, approximately 67% above the global $4.44M cross-industry mean.

Why is healthcare so expensive when breached?

Three structural reasons. PHI record value on the underground market is approximately 10x payment card data because PHI cannot be cancelled. Regulatory exposure is heavier (HIPAA, HITECH, plus state laws). And operational disruption to clinical systems can cost lives, which forces faster, more expensive recovery decisions including paid ransoms.

How much can OCR fine a hospital for a HIPAA breach?

OCR penalties have four tiers from $137 per violation (no knowledge) to $68,928 per violation (willful neglect, uncorrected) with an annual cap per identical provision of $2,067,813. Aggregate Resolution Agreement settlements have ranged from $25,000 to $16M. Penalty figures are adjusted annually for inflation.

What does ransomware on a hospital actually cost?

Beyond the ransom, downtime cost dominates. Sky Lakes Medical Center reported approximately $10M direct loss in 2020. Universal Health Services reported $67M in 2020. Common Spirit Health disclosed approximately $150M in 2022. Change Healthcare 2024 has cost UnitedHealth in excess of $2.45B per its disclosures.

How much does breach notification cost in healthcare?

Per-affected-person cost runs $4-$25 for postage, printing, and call-center capacity, plus $1.50-$4 per month per person for credit and identity monitoring (typically 12-24 months). For a 100,000-record breach, notification alone runs $400K-$2.5M before any monitoring.

Is healthcare ransomware getting more expensive?

Yes. Sophos State of Ransomware in Healthcare 2024 reported the average mean recovery cost at $2.57M, up from $1.27M in 2023. Median ransom payments in healthcare in 2024 were $1.5M with mean payments substantially higher when whales are included.

What are the most expensive named healthcare incidents?

Anthem 2015 ($260M+ total cost). Change Healthcare 2024 ($2.45B+ to date). Common Spirit 2022 (~$150M). Universal Health Services 2020 ($67M). These are the public-disclosure benchmarks against which less-public incidents triangulate.