Healthcare Data Breach Costs $7.42 Million, AI Vulnerabilities

The average healthcare industry data security breach costs $7.42 million per incident, making it the most expensive industry for breaches for the fourteenth consecutive year, according to IBM’s 2025 Cost of a Data Breach Report.

In collaboration with IBM, researchers from the Ponemon Institute studied 600 organizations from 17 industries across 16 countries and regions impacted by data breaches between March 2024 and February 2025. The report was released yesterday.

For comparison, financial industry breaches, such as banking and investing, cost an average of $5.56 million per incident, and in the industrial industry, which includes chemical processing and engineering, breaches cost an average of $5 million.

In the United States, the average cost of a security breach rose 9% since last year, now sitting at $10.22 million, while globally, the average cost fell. This is likely due to higher regulatory fines and detection and escalation costs. Countries that saw the biggest declines in cost were Italy (-27%), Germany (-24%) and South Korea (-21.5%).

Healthcare breaches also took an average of 279 days to identify and contain, which is more than five times longer than the global average, the report says.

Cybercriminals are drawn in by the healthcare industry’s patient personal identification information, which can be used to commit identity theft, insurance fraud and other financial crimes.

The role of AI in security breaches is complicated, seeming to both contribute to attacks and lead to their detection, the report data shows.

For example, approximately 16% of attacks overall involved hackers using AI, often in the form of phishing or deepfake attacks. One in six attacks was also driven by AI, and 97% of organizations that reported an AI attack reported that they lacked proper AI controls. Specifically, 20% of those attacks were attributed to Shadow AI, or the employee use of AI without employer approval or oversight.

However, breach costs have gone down, especially in the healthcare industry. Last year, healthcare data breaches cost an average of $9.77 million per breach, compared with this year’s $7.42 million. Additionally, $1.9 million was saved this year across industries by using AI-powered security programs, shortening breach times by an average of 80 days.

Still, only 49% of organizations plan to increase investment in new security programs within the next year, the report says. This is a 22% decrease from last year.

To prevent future attacks, the report recommends that industries:

• have patients and employees use passkeys to log into their accounts, in addition to passwords
• implement safety protocols such as access control and encryption to protect data
• integrate AI security and AI governance
• use AI to identify threats quicker
• improve resilience through in-person or virtual training.