Comps & Reflections

Healthcare Breaches Cost $9.77 Million on Average. For the 14th Year Running.

Healthcare has led IBM's breach cost rankings for 14 consecutive years. The reasons have nothing to do with careless hospitals and everything to do with structural constraints that IS governance research has barely started to address.

2026-05-14 · 7 min read Comps & Reflections

I went back to the IBM Cost of Data Breach Report this week and the healthcare number is still the one I cannot stop thinking about. $9.77 million per breach, listed at https://www.ibm.com/reports/data-breach, and this marks the 14th consecutive year that healthcare tops every other sector. The global average for 2024 is $4.88 million. Healthcare is running at double that. Fourteen years in a row. When a statistic holds that consistently across organizations of different sizes, different geographies, and wildly different technical maturity levels, the explanation has to be structural. You cannot blame individual hospitals for a 14-year streak.

That is actually what draws me to this number as an IS researcher. Fourteen years of data is enough to rule out a whole category of explanations. If healthcare led the list because hospitals were unusually careless about security, you would expect the gap to narrow over time. Awareness has increased. Security spending in healthcare has grown substantially over the past decade. Hospitals hire CISOs now. They run phishing simulations, deploy endpoint protection, and write incident response plans. The spending is real, and the costs remain double the global average. Something structural is sustaining that gap.

I want to use Protection Motivation Theory here, because I think it explains the persistence better than any purely technical account. Rogers (1975) built the theory around two appraisals: threat appraisal, which is how serious and how likely the threat is, and coping appraisal, which is whether the organization believes it can actually do something effective about it. When both appraisals are high, protective behavior increases. When coping appraisal is low, even accurate threat appraisal does not produce effective action. Healthcare organizations are not suffering from low threat appraisal. They know the threat is serious. The chronic problem is coping appraisal, and there are three structural reasons why it stays suppressed in healthcare in ways that are almost unique to that sector.

The first is the regulatory overlay. HIPAA creates a cost structure for healthcare breaches that does not exist in most other industries. A covered entity must notify affected individuals within 60 days of discovering a breach. If the breach affects 500 or more residents of a state, it must notify prominent media outlets. The Department of Health and Human Services maintains a public breach portal, sometimes called the "Wall of Shame," where every large healthcare breach is listed permanently. Civil penalties for willful neglect that is not corrected can reach $1.9 million per violation category per year. That exposure transforms a moderate breach into a very expensive one before a single class action lawsuit is filed. The regulatory structure multiplies cost in ways that security spending cannot fully offset, because the penalties attach to the breach occurring, not only to what the organization did or did not do to prevent it.

The second factor is what health data is worth on criminal markets. Financial credentials lose value quickly because card numbers can be canceled. A stolen credit card is useful for days or weeks. A complete health record, combining insurance numbers, provider histories, prescription records, and Social Security numbers, remains useful for years because none of that information can be easily changed. The criminal economics of health data sustain a persistent demand that drives both the frequency and sophistication of attacks. Attackers who can sell health records for more money will invest more in acquiring them, which keeps healthcare at the top of the targeting list regardless of what any individual hospital does about its own defenses.

The third structural factor is the operational constraint that healthcare faces and that almost no other industry shares. Taking a hospital's systems offline to stop a breach is not the same as taking a retailer's inventory system offline. Patients on ventilators, in surgery, or waiting for medication management cannot wait for IT to resolve an incident. The cost of keeping compromised systems running during an active breach, accepting spread in order to maintain patient care, is a tradeoff that healthcare organizations routinely make. Other industries can sacrifice systems for security. Healthcare often cannot. This creates a ransomware problem that is categorically different from the same problem in manufacturing or retail. When a manufacturing firm gets hit, it faces a painful calculation about paying the ransom versus restoring from backups. When a hospital gets hit, the same calculation has a patient safety dimension that compresses the timeline and raises the stakes. Ransomware actors know this, and it is part of why healthcare remains such a concentrated target even as other sectors develop better response playbooks.

Protection Motivation Theory predicts that the coping appraisal problem is deepest for smaller organizations. Rural hospitals and community health centers operate with thin margins and limited security staff. Their coping appraisal for a sophisticated ransomware attack is genuinely low, and it is low for accurate reasons. They cannot realistically staff a 24-hour security operations center. They cannot afford the same endpoint detection and response tools that large health systems deploy. When coping appraisal is low, even high threat appraisal does not reliably produce effective protective behavior. Smaller healthcare organizations may have very high threat awareness and still not invest in the right controls, because the investment feels futile given what they can actually field against a determined adversary.

The interoperability question adds another layer. Modern healthcare delivery requires that patient data move between systems: from a primary care EHR to a specialist's system to a pharmacy to a lab to an insurance platform and back. Every connection in that chain is a potential attack surface. The Health Information Technology for Economic and Clinical Health Act, passed in 2009, pushed healthcare toward digital interoperability. That was the right policy for care coordination. It also expanded the attack surface substantially, because data that moves between systems creates more entry points than data that stays in one place. A large health system operating Epic or Cerner across dozens of facilities, connected to external labs and pharmacies and payers, has a perimeter that is functionally impossible to fully secure. The complexity that makes those systems useful for care also makes them extremely difficult to lock down.

Patch cycles make this worse in a way that is specific to regulated software. Healthcare applications must pass regulatory review before deployment. Customizations made during implementation create configurations the vendor did not test. Legacy systems that predate the main EHR remain in the environment because replacing them is expensive and disruptive. A 2024 breach at a large health system is often the result of an attacker finding the seam between the current EHR and a legacy billing system that has not been updated in years. That seam is not a technical failure by the security team. It is a consequence of the regulatory and financial environment that governs how healthcare organizations can change their technology stack.

Here is what worries me as an IS researcher. The IS governance literature is not engaging with this structural dimension the way it should. We have decent individual-level models for why employees click phishing links. We have reasonable organizational-level models for security investment decisions. We do not have good models for how regulatory structure, criminal market dynamics, and operational constraints interact to produce persistent sector-level breach cost differentials. The 14-year streak is a standing invitation to that kind of research, and I have not seen anyone in IS take it seriously as a structural governance puzzle rather than a technology deployment problem.

I keep asking myself: if you held everything else constant and changed only the HIPAA notification and penalty structure, how much of the $9.77 million average would close toward the global mean? I do not know how to answer that empirically, and I think it is one of the more important unanswered questions in healthcare IS governance. What the IBM data makes clear is that individual organizational decisions are operating inside a structural constraint that sets a floor. No amount of good security practice by an individual hospital fully offsets the regulatory penalty exposure, the criminal market for health data, and the operational impossibility of going dark to contain a breach. The floor is high. And until the research community treats it as a floor problem rather than an individual performance problem, 14 years will become 15.

---
claims_checked:
- "Healthcare $9.77M average breach cost, 14th consecutive year as costliest sector": "https://www.ibm.com/reports/data-breach"
- "Global average breach cost $4.88M in 2024": "https://www.ibm.com/reports/data-breach"
- "HIPAA 60-day individual notification requirement": "https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html"
- "HHS public breach portal (Wall of Shame)": "https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf"
- "HITECH Act passed 2009": "https://www.hhs.gov/hipaa/for-professionals/special-topics/hitech-act-enforcement-interim-final-rule/index.html"
claims_unverified:
- "HIPAA civil penalties up to $1.9M per violation category per year: consistent with HHS enforcement documentation, not re-fetched this session; hedged as regulatory knowledge"
- "Dark web health record durability vs. financial credentials: well-documented in security literature but not cited to a specific market price; hedged as criminal market dynamics"
- "Legacy billing systems in healthcare as common environment: illustrative framing, not a cited statistic"
sources_used:
- "https://www.ibm.com/reports/data-breach"
- "https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html"
- "https://www.hhs.gov/hipaa/for-professionals/special-topics/hitech-act-enforcement-interim-final-rule/index.html"
word_count: 1190

About the author

A
Ali Safari
PhD Student in IS, University of North Texas

Researching AI governance, trust in intelligent systems, and agentic AI. Writing while studying for comps.

in gs

Share

More notes

← Previous
68% of Breaches Involve the Human Element. Security Training Is Not Working.
Next →
Health IT Interoperability: Why Your Doctor Still Sends Faxes

Related notes

AI & Agentic Systems
The AI Dependency Paradox: You Cannot Stop Using What You Cannot Trust
6 min read
Comps & Reflections
DSR Is Not About the Prototype
5 min read
Comps & Reflections
FinTech Is an IS Problem Disguised as Finance
6 min read