Healthcare Data Breach Statistics: 2025 Roundup

Since 2004, the Cybersecurity and Infrastructure Security Agency (CISA) has designated October as Cybersecurity Awareness Month to promote the importance of taking actions to stay safe online. Perhaps nowhere is cybersecurity more critical than healthcare, where patient information represents the most coveted prize of digital thieves seeking to use stolen data for identity theft, medical fraud, tax fraud, or ransomware extortion. In honor of Cybersecurity Awareness Month, we're highlighting healthcare data breach statistics to draw attention to the need for proactive vigilance in this crucial area of cybersecurity.

Cost and Frequency of Healthcare Data Breaches

1. Healthcare breaches cost organizations an average of $398 per exposed record (Veriti).
2. Healthcare breaches cost an average of $7.42 million per incident, the costliest of any industry (HIPAA Journal).
3. The number of healthcare providers reporting over $200,000 in losses quadrupled between 2024 and 2025 (Netwrix).
4. The percentage of healthcare providers suffering losses of over $500,000 (12%) was higher than the average across all industries (6%) (Netwrix).
5. The largest contributors to breach costs are detection and escalation ($1.47 million on average), lost business ($1.38 million), and post-breach responses ($1.2 million). (HIPAA Journal).
6. Nearly half of breached healthcare organizations raise prices to cover breach costs, with nearly one-third raising prices 15% or more (HIPAA Journal).
7. While financial gain accounts for attacker motive in 90% of healthcare security breaches, espionage plays an increasing role due to events such as the Russia-Ukraine war, factoring into 16% of cases (Verizon).
8. Almost half (48%) of healthcare organizations have experienced at least one cybersecurity incident over the past year (Netwrix).
9. In 2024, Verizon received reports of 1,710 data breach incidents compromising the integrity, confidentiality, or availability of data in the healthcare industry, with 1,542 cases of confirmed data disclosure (Verizon).
10. Since 2009, the number of healthcare breaches affecting 500 or more individuals reported to the HHS Office for Civil Rights (OCR) has generally increased each year, but attacks fell slightly in 2024 and so far attacks have continued to fall this year, as of August 2025 (HIPAA Journal). (Note that OCR does not track breaches affecting fewer than 500 people.)
11. Between 2009 and 2024, OCR received 6,759 reports of healthcare breaches affecting 500 or more people, impacting 846,962,011 total U.S. individuals. (HIPAA Journal).
12. As of September 20, 2025, OCR received 508 reports of healthcare breaches affecting 500 or more individuals in 2025, compared to 739 for all of 2024 (HIPAA Journal).
13. In 2025, healthcare breaches affecting 500 or more individuals have averaged 63.5 per month (HIPAA Journal).
14. In 2025, healthcare data breaches averaged 71,276 records per breach (HIPAA Journal).
15. The largest healthcare data breach reported so far in 2025, an attack on Yale New Haven Health, affected about 5.6 million people (Healthcare Dive).

User Account Compromise Statistics

1. At the start of 2025, user account compromise represented the most prevalent threat to healthcare organizations, affecting 74% of organizations running in cloud environments and 44% in on-premise environments (Infosecurity Magazine).
2. In 2024, 79% of healthcare providers were targeted by emails involving hacking incidents and unauthorized access (U.S. Department of Health and Human Services).
3. Nearly one-third (31%) of healthcare organizations have experienced incidents involving compromised user or administrative accounts (Netwrix).
4. Attacks on healthcare providers account for 15% of all business email compromise incidents (Palo Alto Networks).

Phishing Statistics

1. At the start of 2025, phishing represented the second most prevalent threat to healthcare organizations, affecting 62% of organizations running in cloud environments and 63% in on-premise environments (Infosecurity Magazine).
2. As of September 2025, phishing represents the most common access vector for healthcare data breaches, accounting for 16% of breaches (HIPAA Journal).
3. Healthcare is the more vulnerable to phishing than any other major industry, with 41.9% of organizations susceptible, compared to 39.2% of insurance providers and 36.5% of retail and wholesale providers (KnowBe4).

Ransomware Statistics

1. Healthcare is the top target for ransomware attackers, accounting for 17% of ransomware attacks across all industries (Veriti). 
2. 458 ransomware events were tracked in the healthcare sector in 2024 (Health-ISAC).
3. Three of the four largest healthcare breaches in August 2025 were ransomware attacks (HIPAA Journal).
4. The average healthcare ransomware attacker demands $7 million from target organizations (Veriti).
5. The highest ransomware demand to a healthcare provider was $100 million (Veriti).
6. Operating system misconfigurations represent one of the biggest exploit targets for ransomware groups, who target vulnerabilities such as the NTLMV2 Authentication Protocol, enabled on 1,053 hosts and leveraged for privilege escalation and lateral movement (Veriti).
7. Endpoint misconfigurations represent another major target for ransomware attackers, with 22% of hosts having volume shadow copy misconfigured to allow disabling of recovery options, and 35% having quarantine on write disabled (Veriti).

AI and Healthcare Security Statistics

1. Over a third of healthcare organizations (37%) say AI-driven threats are forcing them to develop stronger defenses (Netwrix).
2. 82% of phishing emails now use AI-generated content (KnowBe4).
3. 69% of healthcare providers express concern that use of AI will increase data security and privacy issues (Cyber Risk Alliance).
4. 59% of security professionals express concerns that healthcare staff will not be trained how to properly implement and manage AI tools (Cyber Risk Alliance).
5. In the first quarter of 2025, 50% of healthcare organizations were already using AI tools for cybersecurity (Cyber Risk Alliance).
6. Nearly all (9 in 10) healthcare organizations plan to incorporate AI tools into their cybersecurity strategy by the end of 2025 (Cyber Risk Alliance).
7. Threat intelligence is the most popular AI tool for healthcare cybersecurity applications (adopted or in the process of adoption by 60% of organizations), followed by data analytics (54%), risk assessment (54%), incident response platforms (49%), and Internet of Medical Things (IoMT) device management tools (49%) (Cyber Risk Alliance).
8. 60% of security professional express concerns that AI tools will increase spending for healthcare organizations (Cyber Risk Alliance).

Healthcare Security Response Statistics

1. 50% of healthcare organizations lack confidence in their ability to detect and manage data breaches (Veriti).
2. Nearly half (42%) of healthcare organizations have no policies for preventing unauthorized data access (Veriti).
3. Over half (51%) of healthcare organizations don't possess the technology to prevent data breaches (Veriti).
4. Nearly half (47%) of healthcare organizations lack the expertise to resolve breaches (Veriti).
5. Nearly three-fourths (70%) of healthcare organizations factor cybersecurity into technology acquisition decisions (KPMG).
6. Healthcare organizations take a more proactive role than most other industries in preventing breaches, with just 13% of pentesting findings qualifying as serious, placing healthcare 6th among 13 industries surveyed (Cobalt).
7. Healthcare resolves fewer serious findings than other industries, with a 57.4% fix rate ranking 11th out of 13 industries (Cobalt).
8. Healthcare takes longer to resolve serious findings than most other industries, with a median time to resolve serious findings (MTTR) of 58 days, longer than all but three other industries surveyed (Cobalt).
9. Healthcare organizations accumulate a greater security debt of unresolved serious findings than most other industries, averaging 244 days to resolve half of serious findings, ranking 11th out of 13 industries (Cobalt).
10. Globally, the average time to identify and contain a healthcare breach is 241 days in 2025, a decline of 17 days from 2024 and a nine-year low reflecting the number of breaches detected internally by security teams rather than announced by external attackers (HIPAA Journal).
11. Most breached healthcare organizations take over 100 days to recover. (HIPAA Journal).

Healthcare Data Breach Statistics FAQs

How much do healthcare data breaches cost organizations per incident?

Healthcare breaches cost organizations an average of $7.42 million per incident, exceeding costs for any other industry. This reflects an average cost of $398 per exposed record.

What contributes to the cost of healthcare data breaches?

Breach costs go to pay for detection and escalation ($1.47 million on average), lost business ($1.38 million), and post-breach responses ($1.2 million).

How much do healthcare data breaches cost consumers?

Nearly a third of healthcare organizations experiencing breaches have raised costs of goods and services 15% or more to offset losses.

How many healthcare data breaches occur annually?

Approximately 1,710 healthcare data breaches occur annually, including 739 incidents affecting more than 500 people.

What is the biggest cause of healthcare data breaches?

User account compromise leads the causes of healthcare data breaches (affecting 74% of organizations running in the cloud and 44% running on-premise), followed by phishing (affecting 62% of organizations running in the cloud and 63% running on-premise), with phishing often leading to account compromise.

How long does it take healthcare organizations to resolve breaches?

Globally, it takes healthcare organizations an average 241 days to identify and contain breaches.

How long does it take healthcare organizations to recover from breaches?

Most healthcare organizations that have experienced breaches take over 100 days to recover.

How often are healthcare networks exposed to risk of serious data breach?

Pentests reveal 13% of healthcare vulnerabilities to be serious in nature.

How many healthcare data breach vulnerabilities go unresolved?

Nearly half of serious healthcare pentesting findings go unresolved, with only 57.4% getting fixed.

How fast do healthcare organizations resolve data breach security risks?

Healthcare organizations typically take 58 days to resolve serious vulnerabilities after they have been identified through pentesting.

How well do healthcare security teams keep up with fixing security vulnerabilities?

It typically takes healthcare organizations 244 days to resolve half of serious pentest findings.

What can healthcare organizations do to prevent data breaches?

Healthcare organizations can reduce data breach risks by mandating third-party pentesting, integrating pentesting into software development lifecycles, proactively testing for AI and GenAI vulnerabilities, adopting a programmatic approach to offensive security, and conducting red teaming exercises.