Healthcare Data Breach Statistics

In 2025, Financial Services had 739 compromises; Healthcare had 534 compromises; Professional Services had 478 compromises; Manufacturing had 299 compromises; Education had 188 compromises (2025)

16% of email-related healthcare breaches in 2025 involved business associates.

43.3% of healthcare email breaches involved Microsoft 365.

IT leaders estimate only 5% of known phishing attacks are reported by healthcare employees to their security teams.

There was a 264% increased surge of ransomware attacks on healthcare organizations.

Barracuda, Mimecast, and Proofpoint account for 26.7% of healthcare email breaches in 2024.

1.1% of healthcare organizations analyzed had a 'Low Risk' email security posture.

68.8% of healthcare organizations analyzed had a 'Medium Risk' email security posture.

31.1% of healthcare organizations analyzed had a 'High Risk' email security posture.

107 email-related HIPAA breaches were reported to the Department of Health and Human Services in just the first half of 2025.

In one enforcement case, a clinic was fined $25,000 for a single message that contained protected health information (PHI) and was sent to the wrong person without encryption

17% of insider incidents involved personal healthcare information.

96% of healthcare organizations researched had at least two data loss or exfiltration incidents involving sensitive and confidential healthcare data in the past two years.

On average, healthcare organizations experienced 18 data loss or exfiltration incidents in the past two years.

36% of healthcare organizations that experienced data loss or exfiltration incidents say it caused delays in procedures and tests that resulted in poor outcomes.

55% of healthcare organizations say data loss or exfiltration incidents impacted patient care.

54% of healthcare organizations that experienced data loss or exfiltration incidents say it increased the mortality rate.

Between 2019 and 2023, healthcare experienced large losses primarily from ransomware (57.1%), followed by data breaches (28.6%) and other causes (14.3%).

The 2025 breach at DaVita compromised over 900,000 patients' personal and clinical data.

Nearly half of healthcare email breaches stem from Microsoft 365 alone.

In 2025, healthcare breaches took an average of 224 days to detect and another 84 days to contain—making it over 10 months total.

Vision Upright MRI faced a $5,000 fine plus two years of federal monitoring after a server breach exposed over 21,000 individuals' medical imaging records.

Phishing attacks now account for over 70% of healthcare data breaches as of 2024.

The healthcare sector experienced an average of two healthcare breaches per day in the first half of 2025.

The healthcare sector saw a $2.35 million reduction in costs compared to 2024.

Breaches across the healthcare sector take the longest to identify and contain at 279 days, which is more than 5 weeks longer than the global average of 241 days.

Healthcare breaches remained the most expensive, averaging $7.42 million.

More than half (56%) of healthcare leaders say outdated infrastructure would delay breach recovery.

Almost 25% of healthcare leaders acknowledge it could take up to a month to detect and contain a data breach.

32% of healthcare organizations suffered a breach in the past 12 months.

70% of patients say they would consider switching providers after a data breach.

The healthcare sector had the most third-party breaches (78) but a below-average rate of 32.2%.

43% of healthcare email breaches were tied to Microsoft 365.

98.9% of breached organizations lacked MTA-STS protections.

Solara Medical Supplies' $9.76 million settlement was due to a phishing-related breach affecting 114,000 patient records.