Industry: Healthcare · Updated June 2026

Healthcare Incident Cost: What a Breach or Outage Actually Costs in 2026

Q: What is the average cost of a healthcare data breach?

The IBM Cost of a Data Breach Report 2025 puts the healthcare sector average at $7.42M per breach. Healthcare has held the highest per-breach cost of any industry for 14 consecutive years. The figure is approximately 67% higher than the cross-industry average of $4.44M.

Q: Why is healthcare so expensive when breached?

Three structural reasons. First, the protected health information (PHI) record value on the underground market is approximately 10x higher than payment card data because PHI cannot be cancelled and reissued. Second, regulatory exposure is heavier (HIPAA Security Rule, HITECH Act breach notification, plus state laws). Third, operational disruption to clinical systems can cost lives, which forces faster, more expensive recovery decisions including paid ransoms.

Q: What does ransomware on a hospital actually cost?

Beyond the ransom itself, downtime cost dominates. Sky Lakes Medical Center estimated $10M direct loss after their 2020 incident. Universal Health Services took a $67M hit on its 2020 ransomware. Common Spirit Health disclosed $150M in losses from its 2022 attack. The cost stack is: forensics, system rebuild, manual workflows during downtime, lost elective procedures, paid overtime, breach notification, lawsuits, and credit monitoring.

Q: How much does breach notification cost in healthcare?

HHS Office for Civil Rights requires notification of every affected individual in writing, plus media notification if the breach affects 500 or more residents of a state, plus notification to OCR. Per-affected-person cost ranges from $4 to $25 for postage, printing, and call-center capacity, plus $1.50 to $4 per month per person for credit monitoring (typically offered for 12-24 months). For a 100,000-record breach, notification alone runs $400K-$2.5M before any monitoring.

Q: What are the most expensive named healthcare incidents?

Anthem 2015 (78.8M records, $260M+ total cost including $115M settlement, $39.5M HHS settlement). Change Healthcare 2024 (UnitedHealth disclosed $872M in Q1 2024 alone, total estimated $2.45B+). Common Spirit 2022 (~$150M). Universal Health Services 2020 ($67M). These are the public-disclosure benchmarks against which less-public incidents triangulate.

$7.42M

Avg breach cost

14 yrs

#1 industry running

$1.02M

Mean ransomware recovery

$2.19M

HIPAA tier 4 annual cap

Healthcare is the most expensive industry for security incidents and has been since 2011. The IBM Cost of a Data Breach Report 2025 puts the average healthcare breach at $7.42M, roughly 67% above the cross-industry $4.44M global average. The structural drivers are not going away: protected health information sells for an order of magnitude more than payment card numbers because it cannot be cancelled, regulatory exposure under HIPAA is severe and getting tighter, and operational disruption to clinical systems carries patient-safety implications that change the economic decision tree during an incident.

The Cost Stack of a Healthcare Incident

The $7.42M IBM headline figure is an aggregate. Underneath it, a healthcare incident has four distinct cost layers and the ratio between them is different from any other sector. In financial services or technology, direct response costs and lost business roughly balance. In healthcare, regulatory and notification costs compound, and the patient-safety dimension forces decisions that no other industry has to weigh.

Cost Layer	Range (per major incident)	Why higher in healthcare
Detection and escalation	$1.5M-$2.5M	Industry mean dwell time of 213 days inflates this layer; per IBM CODB 2025 healthcare detection lifecycle is the longest of any sector.
Notification	$0.4M-$2.5M	HHS OCR requires individual written notification, media notification if 500+ in a state, and HHS notification within 60 days.
Post-breach response	$1.2M-$3M	Includes credit and identity monitoring (typically 12-24 months), legal defense, regulatory engagement, and PR.
Lost business and clinical disruption	$1.5M-$5M+	Cancelled elective procedures, ambulance diversions, manual chart workflows during EHR downtime, and patient churn.

Ranges triangulate the IBM CODB 2025 healthcare cohort against per-incident disclosures (Anthem, Universal Health Services, Common Spirit, Change Healthcare). Specific incidents may fall outside these bands.

HIPAA Penalty Math

Civil monetary penalties under HIPAA have four tiers, defined in the HITECH Act and adjusted annually for inflation by the HHS Office for Civil Rights. The figures below reflect the 2026 inflation adjustment (multiplier 1.02598), effective 28 January 2026 per the Federal Register notice. These are per-violation amounts; a breach affecting 100,000 records can in principle trigger 100,000 violations of the same provision, capped annually. The annual caps shown are the lower per-tier caps OCR has applied under its 2019 enforcement-discretion policy (the Federal Register lists the single statutory $2,190,294 cap for every tier).

Tier	Trigger	Per Violation	Annual Cap (per provision)
Tier 1	No knowledge of violation	$145-$36,506	$36,506
Tier 2	Reasonable cause, not willful neglect	$1,461-$73,011	$146,053
Tier 3	Willful neglect, corrected within 30 days	$14,602-$73,011	$365,052
Tier 4	Willful neglect, not corrected	$73,011 minimum	$2,190,294

Source: 45 CFR 102.3, HHS 2026 annual inflation adjustment effective 28 January 2026 (multiplier 1.02598). Per-tier annual caps per OCR's 2019 enforcement-discretion policy (84 FR 18151). Figures rounded to nearest dollar.

In practice, the OCR has rarely taken individual violations to the per-violation cap. Most resolutions have come through a Resolution Agreement with a Corrective Action Plan and a single negotiated settlement amount. Notable examples: Anthem 2018 ($16M), Premera Blue Cross 2020 ($6.85M), Excellus Health Plan 2021 ($5.1M), and the 2023 Lifespan Health System settlement ($1.04M). The deterrent value sits in the size of those numbers, the audit obligations they bring, and the corrective-action timeline a CAP imposes for typically two to three years.

Ransomware in Healthcare: The Patient-Safety Dimension

Healthcare ransomware is its own discipline because the operational impact is binary in a way that no other sector matches. When an EHR, PACS, or pharmacy system is encrypted, clinicians fall back to paper, ambulances divert, elective procedures cancel, and lab results queue. Multiple peer-reviewed studies have found measurable increases in patient mortality during and immediately after hospital ransomware events. That changes the economic posture: hospitals with active ransomware are far more likely to pay because the alternative is not just revenue loss, it is patient harm.

The cost data is shifting fast. Sophos State of Ransomware in Healthcare 2025 reported a mean recovery cost of $1.02M excluding ransom, down 60% from $2.57M the prior year as recovery grew more efficient. Ransom economics softened too: the mean ransom payment fell to $150K (from $1.47M in 2024) and the median ransom demand dropped 91% to $343K (from $4M), with 36% of attacked healthcare organisations paying. Even with smaller individual sums, healthcare remains a priority target because clinical-system downtime carries patient-safety pressure that other sectors do not.

Incident	Year	Disclosed Cost	Notes
Change Healthcare (UnitedHealth)	2024	$2.45B+	UnitedHealth Q1 2024 disclosure was $872M; updated 2024 estimate is $2.45B+; ALPHV/BlackCat ransom of $22M.
Common Spirit Health	2022	~$150M	Per the system's quarterly financial disclosures; affected 624 hospitals.
Universal Health Services	2020	$67M	Disclosed in 10-Q filings; Ryuk ransomware on 250+ facilities.
Sky Lakes Medical Center	2020	~$10M	Public statement from CEO; complete system rebuild required.
Anthem (data breach)	2015	$260M+	$115M class settlement, $39.5M state AG settlement, $16M OCR settlement; 78.8M records.

Figures are taken from public regulatory filings, official press statements, and consent-decree disclosures. Total true cost is typically higher than disclosed amount once long-tail litigation and reputational impact resolve.

The PHI Record Value Premium

A single PHI record on dark-web markets has historically traded for $250-$1,000 according to research from Trustwave SpiderLabs and the Verizon DBIR longitudinal data. The same record set as payment card data trades for $5-$30. The premium reflects three things. First, PHI cannot be cancelled and reissued the way a credit card can. Second, the demographic completeness of a healthcare record (full name, date of birth, address, social security number, insurance ID, medical history) enables long-running identity-theft and benefits-fraud schemes. Third, prescription-drug fraud and Medicare-claim fraud have a meaningful underground economy that pure-financial data cannot serve.

The economic implication for an incident response budget: per-record cost in healthcare is materially higher than in retail or finance. The HHS OCR Breach Portal, which publishes every breach affecting 500 or more individuals, shows healthcare breaches frequently affect millions of records per event. The OCR breach reporting tool is the canonical public dataset for healthcare incident frequency and scale.

Why Healthcare Detection Time Is the Longest of Any Industry

IBM CODB 2025 reports that healthcare has the longest detection-and-containment lifecycle of any industry tracked. The cross-industry mean is 241 days from breach to containment; healthcare runs longest, at around 279 days. The reasons are well documented and structural rather than competence-based.

Heterogeneous device estate. Hospitals run thousands of medical devices that are FDA-regulated software embedded in capital equipment. Patching schedules are vendor-controlled and slow. Devices stay in service for 10-20 years; many run unsupported operating systems.
Legacy clinical systems. Mission-critical EHR and ancillary systems were architected before modern security telemetry standards. Endpoint detection and response (EDR) coverage is uneven across clinical workstations.
Resource constraints. Provider IT budgets average around 4% of revenue, lower than financial services (around 7%) or technology (often 15%+). Security headcount per capita is correspondingly thin.
Operational risk aversion. Aggressive security controls (segmentation, MFA, conditional access) get rolled back when they slow clinical workflows. The risk calculus weighs downtime against breach risk and frequently favours availability.

Each additional day in the detection-and-containment lifecycle costs money. IBM CODB 2025 estimates that breaches contained in under 200 days cost on average $1.14M less than those over 200 days ($3.87M vs $5.01M). For healthcare specifically, the dwell-time premium adds roughly $500K-$1.5M to the average incident cost relative to faster-detecting industries.

Cost-Reduction Levers That Actually Work in Healthcare

IBM CODB 2025 quantifies the controls associated with the largest reductions in average breach cost across the dataset. The three below translate cleanly to healthcare; we map the per-organisation investment range against the IBM-reported breach-cost reduction.

Control	Cost Reduction (IBM CODB 2025)	Healthcare Investment Range
AI and automation in security (extensive use)	-$1.9M avg	$200K-$2M/yr depending on scope (XDR/MDR with AI tier)
DevSecOps approach	-$227,192 avg	Integration into existing SDLC; mostly process cost, $50K-$300K consulting
Encryption of PHI at rest and in transit	-$208,087 avg	Largely included in EHR and storage platforms; $50K-$200K to close gaps

For provider organisations, the highest-ROI investment is typically a managed detection and response (MDR) service with healthcare-specific tuning. The arithmetic: $300K-$800K/year for MDR against $7.42M expected loss-given-breach with industry mean breach probability of approximately 25-35% over a five-year window translates to a positive expected-value return even before counting CAP-avoidance and reputational benefit.

Frequently Asked Questions

What is the average cost of a healthcare data breach?

The IBM Cost of a Data Breach Report 2025 puts healthcare at $7.42M average per breach. Healthcare has held the highest per-breach cost of any industry for 14 consecutive years, approximately 67% above the global $4.44M cross-industry mean.

Why is healthcare so expensive when breached?

Three structural reasons. PHI record value on the underground market is approximately 10x payment card data because PHI cannot be cancelled. Regulatory exposure is heavier (HIPAA, HITECH, plus state laws). And operational disruption to clinical systems can cost lives, which forces faster, more expensive recovery decisions including paid ransoms.

How much can OCR fine a hospital for a HIPAA breach?

Under the 2026 inflation-adjusted amounts (effective 28 January 2026), penalties run from $145 per violation (Tier 1) to $73,011, with Tier 4 reaching $2,190,294 per violation and a $2.19M annual cap per identical provision. OCR applies lower per-tier annual caps in practice ($36,506 / $146,053 / $365,052 for Tiers 1 to 3). Aggregate Resolution Agreement settlements have ranged from $25,000 to $16M.

What does ransomware on a hospital actually cost?

Beyond the ransom, downtime cost dominates. Sky Lakes Medical Center reported approximately $10M direct loss in 2020. Universal Health Services reported $67M in 2020. Common Spirit Health disclosed approximately $150M in 2022. Change Healthcare 2024 has cost UnitedHealth in excess of $2.45B per its disclosures.

How much does breach notification cost in healthcare?

Per-affected-person cost runs $4-$25 for postage, printing, and call-center capacity, plus $1.50-$4 per month per person for credit and identity monitoring (typically 12-24 months). For a 100,000-record breach, notification alone runs $400K-$2.5M before any monitoring.

Is healthcare ransomware getting more expensive?

No, the trend reversed in 2025. Sophos State of Ransomware in Healthcare 2025 reported mean recovery cost (excluding ransom) at $1.02M, down 60% from $2.57M in 2024. The mean ransom payment fell to $150K (from $1.47M in 2024) and the median ransom demand dropped 91% to $343K, with 36% of attacked healthcare organisations paying.

What are the most expensive named healthcare incidents?

Anthem 2015 ($260M+ total cost). Change Healthcare 2024 ($2.45B+ to date). Common Spirit 2022 (~$150M). Universal Health Services 2020 ($67M). These are the public-disclosure benchmarks against which less-public incidents triangulate.