Healthcare Cybersecurity Statistics for 2026: Breach Costs, Ransomware, and Patient Safety Impact

Healthcare entered 2026 still absorbing the largest cyberattack in the history of US medicine. As of July 31, 2025, the U.S. Department of Health and Human Services confirmed that the Change Healthcare ransomware attack impacted approximately 192.7 million individuals, nearly two thirds of the US population. Across the wider sector, healthcare data breaches cost an average of $7.42 million per incident in 2025, the highest of any industry for the 14th consecutive year, according to the IBM Cost of a Data Breach Report 2025. And Verizon's 2025 Data Breach Investigations Report logged 1,710 healthcare incidents with 1,542 confirmed disclosures, with system intrusion and ransomware now the top breach pattern in the sector. These are the healthcare cybersecurity statistics IT, security, and compliance leaders need to know going into 2026.

Key healthcare cybersecurity statistics at a glance

• 192.7 million individuals were affected by the Change Healthcare ransomware attack, per the HHS Office for Civil Rights. It is the largest healthcare breach ever reported.
• $7.42 million was the average cost of a healthcare data breach in 2025, the highest of any industry studied, per the IBM Cost of a Data Breach Report 2025. Healthcare has led every industry for 14 straight years.
• 279 days was the average time to identify and contain a healthcare breach in 2025, five weeks longer than the global average, per IBM.
• 697 large healthcare data breaches were reported to the HHS OCR breach portal in 2025, exposing the protected health information of at least 61.5 million individuals.
• 1,710 healthcare security incidents and 1,542 confirmed data disclosures were tracked by the Verizon 2025 DBIR, with system intrusion overtaking miscellaneous errors as the top pattern.
• 33% of healthcare ransomware incidents in 2025 began with exploited vulnerabilities, the most common technical root cause for the first time in three years, per Sophos State of Ransomware in Healthcare 2025.
• 58% of healthcare providers hit by ransomware recovered within a week in 2025, more than double the 21% reported in 2024, per Sophos.
• 460 ransomware incidents in the healthcare and public health sector were reported to the FBI Internet Crime Complaint Center in 2024, the highest of any critical infrastructure subsector.
• Nearly 1 in 4 healthcare delivery organizations surveyed reported an increase in patient mortality rates after a ransomware attack, per the Ponemon Institute.

$3.09 billion was the total reported direct cost of the Change Healthcare cyberattack to UnitedHealth Group through the third quarter of 2024, per UnitedHealth Group's SEC filing.

‍

Breach volume and PHI exposure: what the HHS portal shows

The HHS Office for Civil Rights publishes every healthcare breach of 500 or more individuals on its public breach portal. The 2025 ledger lists 697 large incidents, a 6% reduction from 742 in 2024, but with extraordinary concentration of harm. Even with the lower count, at least 61.5 million individuals had their protected health information exposed or impermissibly disclosed in 2025. Including the upward revision of the Change Healthcare total to 192.7 million in July 2025, the headline figures for the sector remain historic.

The portal breaks 2025 reports down by entity type: 523 incidents at healthcare providers, 56 at health plans, two at clearinghouses, and 128 at business associates of HIPAA covered entities. The location of breached PHI is now dominated by network servers (61.5% of incidents) and email accounts (24.9%), per HHS data. That mix is a clear signal that hospitals are no longer losing PHI to laptops left in cars; the modern healthcare breach is a network compromise.

The cost of a healthcare breach in 2025

Healthcare's average breach cost dropped from $9.77 million in 2024 to $7.42 million in 2025, per the IBM Cost of a Data Breach Report 2025. Even with the year over year improvement, healthcare remained the most expensive industry studied for the 14th straight year. The same IBM research found healthcare also has the longest breach lifecycle of any industry at 279 days from intrusion to containment, more than five weeks above the global average of 241 days. Detection and containment delays are the single biggest driver of healthcare breach costs because every additional day of attacker dwell time multiplies the volume of PHI at risk and the operational hit to patient care.

The economics show up clearly at the enterprise level. UnitedHealth Group reported in its Q3 2024 8-K filing that direct response costs from the Change Healthcare attack reached $3.09 billion through the first nine months of 2024, with full year impact projected as high as $2.45 billion in direct costs alone before factoring in lost revenue and business disruption. The company also provided more than $9 billion in advance funding and interest free loans to help downstream providers stay solvent while claims and pharmacy systems were offline.

Ransomware in hospitals: who is paying, who is recovering

Ransomware economics in healthcare changed sharply in 2025. The Sophos State of Ransomware in Healthcare 2025 report, based on a survey of 292 healthcare IT and security leaders, found median ransom demands against healthcare providers fell 91% year over year to $343,000, down from $4 million in 2024. Median ransom payments dropped from $1.47 million to just $150,000. The share of hospitals paying any ransom slipped to 36% in 2025, down from 61% in 2022.

Recovery has accelerated, too. 58% of healthcare providers hit by ransomware in 2025 were back online within a week, more than double the 21% who said the same in 2024, per Sophos. Two attacker tactics shifted at the same time. Encryption based attacks fell to 34% of incidents (from 74% in 2024), while extortion only attacks (data theft without encryption) tripled to 12% of cases. The headline takeaway: attackers are stealing more, encrypting less, and asking for less because providers have gotten better at refusing to pay.

Root causes tell the operational story. For the first time in three years, exploited vulnerabilities (33% of attacks) edged out compromised credentials as the leading technical root cause in healthcare, per Sophos. The most common organizational factor was a lack of in house cybersecurity capacity, cited by 42% of victim organizations. Sophos X-Ops identified 88 distinct ransomware groups actively targeting healthcare in 2025.

What the Verizon DBIR says about healthcare attack patterns

The Verizon 2025 Data Breach Investigations Report analyzed 1,710 healthcare security incidents and 1,542 confirmed data disclosures during the report period. System intrusion, which includes ransomware and extortion, overtook miscellaneous errors as the top pattern in healthcare, mirroring the broader industry shift. External actors caused 67% of healthcare breaches, insiders 30%, partners 4%, and 1% involved multiple parties. 90% of attacks on healthcare were financially motivated.

The most striking new datapoint from Verizon is an espionage motive: 16% of healthcare breaches in 2024 carried an espionage element, up from just 1% the year prior. That sixteen fold increase suggests a new class of actor (likely nation state aligned) is now actively pursuing US medical research, clinical trial data, and patient records. Verizon also reported that healthcare breaches involving a business associate or vendor doubled in one year, jumping from 15% to 30% of all incidents.

Patient safety: when cyberattacks become clinical events

Healthcare is the only industry where a cyberattack can directly lengthen a hospital stay or end a life. Research published by the Ponemon Institute (in partnership with Proofpoint) found that more than 20% of healthcare organizations hit by the four most common attack types (cloud compromise, ransomware, supply chain attacks, and business email compromise) experienced increased patient mortality rates after the incident. Nearly 1 in 4 providers reported the same outcome specifically following a ransomware attack.

Operational disruption is even more common. Per the same Ponemon research, ransomware caused procedure or test delays at 64% of victim organizations, longer patient stays at 59%, increased patient transfers or facility diversions at 65%, and complications from medical procedures at 36%. The Ascension Health ransomware attack in May 2024 (which exposed PHI for 5.6 million patients) forced ambulance diversions and paused elective care across the system. Ascension reported a $1.1 billion net loss for fiscal 2024, citing the cyberattack as a material factor.

Third party and business associate risk

Healthcare's biggest 2025 cyber story (the Change Healthcare breach) was a business associate event. So is the fastest growing risk vector in the sector. According to Verizon, the share of healthcare breaches involving a business associate doubled in one year, from 15% to 30%. The HHS breach portal lists 128 business associate breaches in 2025, accounting for a disproportionate share of total records exposed because vendors aggregate data from many covered entities.

The HHS Office for Civil Rights has been explicit that covered entities cannot outsource HIPAA liability. Under 45 CFR 164.404, covered entities remain responsible for ensuring affected individual notifications occur after a business associate breach, even when the business associate (such as UnitedHealth Group in the Change Healthcare case) volunteers to handle notification. That regulatory baseline means risk analysis of every business associate and a current business associate agreement on file are no longer optional controls.

Emerging trends and what is new in 2026

Three trends define healthcare cybersecurity heading into 2026.

Espionage now sits beside extortion. The Verizon 2025 DBIR jump from 1% to 16% espionage motive in healthcare breaches is the most consequential year over year shift in the report. Hospitals and biotech research organizations now face actors interested in intellectual property and patient cohort data, not just ransom payments. These actors are harder to detect than ransomware crews because they do not announce themselves.

Critical infrastructure status is a target, not a shield. The FBI IC3 2024 Annual Report recorded 460 ransomware incidents in the healthcare and public health sector, the highest of any critical infrastructure subsector. The Microsoft Digital Defense Report 2025 framed why: ransomware actors focus on hospitals because the consequences of downtime (potential patient harm) leave administrators with fewer options than CEOs in other sectors. The same Microsoft report found that 52% of all financially motivated cyberattacks with a known motive are now driven by extortion and ransomware.

Detection still lags by months, not days. The IBM 279 day healthcare breach lifecycle is the longest of any industry, and the gap between healthcare and the global average (241 days) is widening. That detection lag is the cost driver every CISO can act on in 2026. Endpoint visibility, identity monitoring, and vulnerability remediation have a measurable impact on dwell time, and dwell time is what turns a $1 million incident into a $10 million one.

For broader context on the trends above, see our ransomware statistics and data breach statistics roundups.

How swif.ai helps healthcare and healthtech teams

swif.ai gives IT and security teams a single console to enforce device, identity, and compliance controls across the macOS, Windows, and Linux endpoints behind the numbers above. Explore swif.ai mobile device management to see how it works.