Healthcare Leads All Sectors in Breach Cost
For the 14th year in a row, healthcare has the highest breach cost of any sector. IBM's 2025 report puts the average at $7.42 million per breach. That is down from $9.77 million in 2024. But it is still far above every other field.
The global average across all sectors: $4.44 million.
Key Numbers
| Metric | Value | Source |
|---|---|---|
| Average breach cost | $7.42M | IBM 2025 |
| Cost per exposed record | $398 | IBM 2025 |
| Days to find and stop | 279 days | IBM 2025 |
| Large breaches (2025) | 710 | HHS OCR |
| People affected (2025) | 62 million | HHS OCR |
| Ransomware attacks | 445 | Comparitech 2025 |
Healthcare breaches take 279 days to find and stop. That is five weeks more than the world average. Nearly 10 months of open risk.
Why Medical Records Sell High
Medical records sell for 10 to 40 times more than credit cards on the dark web. Why? A single record holds a lot.
Rich Identity Data
Each record can contain:
- Full name, date of birth, Social Security number
- Address, phone, and email
- Insurance and job details
- Family member data
Many Fraud Types
Stolen records allow:
- Medical identity theft
- Insurance fraud
- Prescription fraud
- Tax fraud with SSNs
Data That Cannot Change
You can cancel a credit card. You cannot change your medical past, SSN, or date of birth. That is why records stay useful to criminals for years.
The Change Healthcare Attack
The largest healthcare breach on record hit Change Healthcare in February 2024. The BlackCat/ALPHV ransomware group ran the attack.
| Metric | Value |
|---|---|
| Records hit | 192.7 million |
| Total cost | $3.1 billion |
| Ransom paid | $22 million |
| Systems down | Weeks |
The attack cut off claims and drug processing across the US. Providers could not submit claims. Patients could not get their drugs. Revenue stopped.
The group took the $22 million ransom — then still leaked patient data online. Paying did not help.
How Ransomware Changed
Ransomware in healthcare changed a great deal from 2024 to 2025.
| Metric | 2024 | 2025 | Change |
|---|---|---|---|
| Files locked rate | 74% | 34% | −54% |
| Data theft rate | 94% | 96% | +2% |
| Average ransom demand | $4M | $343K | −91% |
| Average ransom paid | $1.47M | $150K | −90% |
Attackers now focus on data theft, not file locks. Backups have gotten better, so file locks work less well. Stolen data still has value long after the attack ends.
The 96% theft rate means nearly every attack now takes data.
The 18 HIPAA Identifiers
HIPAA lists 18 types of Protected Health Information (PHI) that need protection. Any health data tied to these becomes PHI under the law.
| # | Identifier | Examples |
|---|---|---|
| 1 | Names | Patient name, family names |
| 2 | Geographic data | Address, city, ZIP code |
| 3 | Dates | Birth, visit, discharge |
| 4 | Phone numbers | All phone numbers |
| 5 | Fax numbers | All fax numbers |
| 6 | Email addresses | All email addresses |
| 7 | SSN | Social Security numbers |
| 8 | Medical record numbers | MRN, chart numbers |
| 9 | Health plan IDs | Benefit numbers |
| 10 | Account numbers | Patient account numbers |
| 11 | License numbers | Driver's license, etc. |
| 12 | Vehicle IDs | VIN, license plates |
| 13 | Device IDs | Medical device serials |
| 14 | Web URLs | Patient portal URLs |
| 15 | IP addresses | All IP addresses |
| 16 | Biometrics | Fingerprints, voice prints |
| 17 | Face photos | And similar images |
| 18 | Other unique IDs | Codes, traits |
Vendors Are the Weak Link
Here is a key fact for every healthcare CISO:
Over 80% of stolen PHI came from third-party vendors, not hospitals.
Change Healthcare did not breach single hospitals. It hit a clearinghouse that processes claims for thousands of providers. One vendor failure spread to all of them.
Your PHI safety is only as strong as your weakest vendor.
HIPAA Fines Are Growing
HHS Office for Civil Rights (OCR) is taking action. In 2025:
| Metric | Value |
|---|---|
| Cases with fines | 21 |
| Total fines | $8.33 million |
| Top focus | Risk analysis gaps |
OCR targets groups that skip proper risk reviews. That is a core Security Rule step — and a common gap.
How anonym.legal Protects PHI
All 18 HIPAA Identifiers
anonym.legal covers all 18 HIPAA identifier types with checksum checks. Names, dates, SSNs, medical record numbers, phone, fax, email — all handled. See our HIPAA compliance guide for details.
Reversible Encryption
Many teams need to restore data for studies, audits, or legal review. anonym.legal uses AES-256-GCM encryption that can be undone with the right access keys.
Safe Harbor Compliance
The HIPAA Safe Harbor method requires removing all 18 identifier types. anonym.legal's HIPAA preset does this for you:
- Names → [PERSON]
- Dates → Year only
- ZIP codes → First 3 digits (if population >20K)
- Direct IDs → Encrypted tokens
Local Processing
At $7.42M per breach, you cannot send PHI to outside servers. anonym.legal's Desktop App runs on your own machine. Protected health data never leaves your network.
The Cost of Doing Nothing
| Scenario | Cost |
|---|---|
| Average healthcare breach | $7.42M |
| anonym.legal Business plan | €29/month |
| Annual cost | €348 |
| Break-even | 0.005% breach prevention |
If anonym.legal stops just 0.005% of a breach's cost, it pays for itself. The Change Healthcare attack cost $3.1 billion. Better PHI controls across that vendor chain could have stopped it.
Conclusion
Healthcare will stay a top target. PHI is valuable. Systems are complex. Vendor chains add risk. And the average breach takes 279 days to find.
By the time you know about a breach, the damage is done. The best move is prevention — before an incident starts.
Get Started
- Download Desktop App — Files stay on your machine
- Install Office Add-in — Protect clinical documents
- Start free trial — 200 tokens to test
Sources
- IBM Cost of a Data Breach Report 2025 — VERIFIED-EXTERNAL
- HIPAA Journal — Healthcare Breach Statistics — VERIFIED-EXTERNAL
- Comparitech — Healthcare Ransomware 2025 — VERIFIED-EXTERNAL
- Sophos — State of Ransomware in Healthcare 2025 — VERIFIED-EXTERNAL
- HHS OCR — HIPAA Enforcement — VERIFIED-EXTERNAL
- Change Healthcare Breach Analysis — VERIFIED-EXTERNAL