The HIPAA Guide - Celebrating Over 15 Years Online

U.S. Data Breach Costs Reach All Time High; Healthcare Data Breach Costs Fall

July 30, 2025Healthcare Cybersecurity0

Healthcare organizations have to cover the highest costs for data breaches, although costs have fallen by $2.35 million to an average of $7.42 million per breach, according to the 2025 Cost of a Data Breach from IBM. Healthcare remains the costliest industry for data breaches, having topped the list for breach costs for the past 14 years. The next most expensive industry for data breaches was the financial sector, with average breach costs of $5.56 million.

IBM first started publishing its cost of a data breach reports in 2005, and costs have generally increased year-over-year during the past two decades. While the average cost of a data breach increased once again in the United States to a record $10.22 million per breach, up 9% from 2024, globally, data breach costs have fallen, dropping by 9% to an average of $4.44 million per breach. This is the first time in five years that data breach costs have fallen year-over-year.

The data for this year’s report was collected by the Ponemon Institute on behalf of IBM and involved an analysis of breach data from 600 organizations in 17 industry sectors, in 16 countries and geographic regions. Organizations in the financial, industrial, professional services, and technology sectors accounted for 47% of the organizations studied, with 2% of the sample size coming from the healthcare sector. In addition to the survey data, IBM researchers conducted interviews with more than 3,400 security and C-suite business leaders.

The global decline in data breach costs was largely attributed to faster detection and containment, with a greater percentage of breached entities discovering the data breaches themselves, rather than being notified by attackers. The increased speed of detection is partially driven by AI-based security solutions and automation. The increase in breach costs in the United States was attributed to higher regulatory penalties and higher costs for containment.

IBM considers several factors when assessing data breach costs, including the cost of detection and containment, post-breach response costs, loss of business, and notification costs, all of which have reduced globally, with the greatest reductions in detection and containment, which dropped 10% year-over-year. One of the main factors affecting data breach costs is the time taken to identify and contain a breach, which across all industry sectors fell to a 9-year low of 241 days. Healthcare organizations took the longest to detect and contain incidents, taking 5 weeks longer than the global average to detect and contain a breach – 279 days. The long breach lifecycle significantly increases breach costs in the sector, as do the regulatory penalties and lawsuits that often follow.

The most commonly breached data was personally identifiable information of customers, which was stolen or exposed in 53% of data breaches, with employee data stolen in 33% of data breaches, and intellectual property in 33% of data breaches. The most common initial access vector was phishing, which accounted for 16% of data breaches, followed by vendor and supply chain compromise (15%), and compromised credentials (10%). Compromised credentials were the leading initial access vector in 2024.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Download Free Checklist

IBM calculated the main factors that influence data breach costs. The factors that had the greatest effect on lowering breach costs were supply chain breaches, security system complexity, and Shadow IT, each contributing more than $200,000 to average data breach costs. The top three factors that helped reduce data breach costs were the adoption of a DevSecOps approach for software development, AI-driven and ML-driven insights, and security analytics or SIEM, each of which shaved more than $210,000 from average data breach costs.

Regardless of the cause, data breaches usually result in disruption to business operations, with 86% of businesses that experienced a data breach reporting some disruption to business operations. With such high costs involved, businesses report having to pass on data breach costs to their customers, with 45% of businesses saying they would increase prices in response to a data breach, and almost one-third saying costs will increase by more than 15%. Ransomware attacks can be hugely disruptive for businesses, and paying a ransom can accelerate recovery, but there is growing reluctance to give in to attackers’ demands, with 63% of ransomware victims refusing to pay a ransom, up from 59% last year.

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/

The HIPAA Guide is a registered trademark. Copyright © 2007-2026 The HIPAA Guide. All rights reserved.