Phishing cost in healthcare: $9.77M average, 14 years at the top of the table

Healthcare phishing breach cost sits at $9.77M average per IBM Cost of a Data Breach 2025, the fourteenth consecutive year the sector has led every other industry on per-incident cost. The structural drivers are well understood. Protected Health Information (PHI) carries higher per-record liability than any other regulated data class at $408 per record. HIPAA enforcement layers fines on top of remediation cost, with the HHS Office for Civil Rights running an active enforcement program that has produced over $140M in cumulative settlement penalties through 2024. The HHS OCR breach portal publicly lists every healthcare breach involving more than 500 individuals, producing reputation damage that does not exist in other regulated sectors. And clinical-system disruption is a patient-safety event with civil-suit exposure independent of any data loss.

The phishing-specific picture within healthcare is heavier than the cross-sector mean. Phishing is the dominant initial access vector for healthcare breaches per Verizon DBIR 2025 healthcare annex, and the typical phishing-initiated breach in healthcare pivots quickly to either credential-takeover or ransomware deployment. The 2024 Change Healthcare incident, the largest healthcare data breach on US record, traced its initial access to credentials obtained via attacker-side phishing followed by ransomware deployment by the BlackCat (ALPHV) group. UnitedHealth Group has disclosed total incident cost of approximately $2.45B and over 100M affected individuals as of October 2024.[IBM 2025 + HHS OCR + UnitedHealth Group public disclosures 2024]

On 21 February 2024, Change Healthcare (a UnitedHealth Group subsidiary that processes approximately one in three US healthcare claims) experienced a ransomware deployment by the BlackCat / ALPHV ransomware affiliate. UnitedHealth Group has publicly stated that the initial access was obtained via compromised credentials on a Citrix Remote Access portal that was not protected by multi-factor authentication. The credential-theft step preceding the credential reuse is widely believed by independent analysts to have been a phishing-initiated theft, though UnitedHealth has not confirmed the specific credential-theft mechanism in public disclosures.

The downstream impact was unprecedented in healthcare. Claims processing across substantial portions of the US healthcare system was disrupted for weeks. Pharmacies, hospitals, and individual provider practices were unable to submit insurance claims or verify patient coverage. Independent estimates from the American Medical Association and the American Hospital Association placed weekly liquidity impact on provider practices in the tens of billions of dollars at the peak of disruption. UnitedHealth ultimately advanced approximately $9B in interest-free loans to affected providers to keep practices solvent during the disruption window.

The data-loss figures are equally significant. UnitedHealth confirmed in October 2024 that over 100 million individuals had PHI affected by the breach, making it the largest healthcare-sector PHI breach in US history. HHS OCR confirmed regulatory investigation. The cost figure of $2.45B includes IR engagement, ransomware payment (UnitedHealth has confirmed paying approximately $22M to BlackCat), provider loans, notification, monitoring services, and the system rebuild. Litigation cost is still accruing as of mid-2026 with multiple class actions pending. The Change Healthcare case anchors the upper bound of modern healthcare phishing-cost analysis and demonstrates that the per-incident cost can scale to 9-figure outcomes when the affected entity sits at a healthcare-infrastructure choke point.[UnitedHealth Group Q2-Q3 2024 disclosures + HHS OCR breach portal + Senate Finance Committee hearing testimony May 2024]

Healthcare breach cost is shaped by the HIPAA Breach Notification Rule, which is structurally more aggressive than equivalent rules in other regulated sectors. Three mechanics drive cost. First, individual-notification timing: breaches involving more than 500 individuals require notification of HHS Secretary, individual notification, and prominent-media notification within 60 days of discovery. The 60-day window forces rapid forensic determination of scope and identity, which compresses the IR engagement into a higher-cost timeframe. Second, the public-listing requirement: every healthcare breach involving more than 500 individuals is listed on the public-facing OCR breach portal with entity name, individuals affected, and breach type. The portal is searchable and frequently referenced by patient-advocacy groups, journalists, and downstream litigation counsel. The reputation-damage cost is structurally embedded in the regulation. Third, the per-violation civil monetary penalty schedule: HIPAA fines run $100 to $50,000 per violation with a $1.5M annual cap per violation category, with several categories aggregating to total annual liability above $5M for serious cases.

The HHS OCR enforcement docket through 2023-2025 includes multiple seven-figure settlements driven by phishing-initiated breaches. The 2023 LifeLabs settlement (approximately $9.8M across multiple Canadian provinces, with parallel US class-action exposure) is illustrative of the cross-jurisdictional fine layering that international healthcare entities face. Smaller-entity settlements in the $250K to $2M band are routine and the enforcement cadence has been steady through the post-pandemic period.[HHS OCR enforcement annex 2023-2025 + 45 CFR 164.404-414]

The notification and clinical-disruption lines are structurally larger than for any other sector. The clinical-disruption line is the single most-overlooked cost in healthcare breach modelling because it does not appear as a discrete IT cost; it surfaces in revenue-cycle slowdown, deferred procedures, and patient-safety litigation.[IBM 2025 healthcare cohort + HHS OCR enforcement record]

Healthcare phishing breach cost includes a category that does not exist meaningfully in other sectors: patient-safety liability for clinical-system disruption. When a phishing-initiated ransomware event takes down a hospital's electronic medical records, medication-ordering, lab-results, or imaging systems, the resulting clinical disruption creates patient-safety risk that has translated into documented patient deaths in multiple 2023-2024 cases. The civil-suit exposure for these deaths is independent of the data-loss exposure and is increasingly modelled as a discrete cost line.

Two reference cases anchor the patient-safety cost line. The 2019 Springhill Medical Center case in Alabama involved the documented death of a newborn whose treatment was affected by a ransomware-driven downtime of fetal monitoring. The subsequent wrongful-death suit (Kidd v. Springhill Medical Center) was the first US case to assert direct causal liability between a cyberattack-driven clinical-system outage and a patient death. The case settled in 2023 with terms undisclosed but reportedly substantial. The 2020 University Hospital Düsseldorf incident in Germany involved a patient death attributed to ambulance diversion during a ransomware-driven clinical-system outage; German prosecutors investigated but ultimately did not file homicide charges, leaving the civil exposure as the primary cost vector.

The expected trajectory is that patient-safety litigation will become a routine component of major healthcare phishing-breach cost modelling through 2026-2028. Healthcare-sector cyber insurance carriers have already begun pricing this risk into coverage exclusions and sub-limits. Hospital boards have begun explicitly factoring clinical-system continuity into cyber-investment decisions in a way that does not have a parallel in other regulated sectors. The implication for the per-incident cost figure is that the $9.77M IBM average is likely an underestimate of true cost in cases where clinical disruption was material.[Kidd v. Springhill 2019-2023 case record + Düsseldorf 2020 incident reporting]

• All industries
• Phishing cost in financial services
• BEC cost
• AitM phishing cost (the Change Healthcare lesson)
• Regulatory annex (HIPAA breach mechanics)
• Proofpoint TAP cost
• hipaacompliancecost.com
• mdrcost.com
• databreachcost.com
• incidentcost.com