A new report built on 70,000 cyber insurance claims puts a dollar figure on what the annual DBIR has documented for years, and healthcare comes out as one of the most expensive sectors to get breached in. Costs associated with healthcare breaches are 57% above average.
What happened
Verizon Business has published its inaugural Breach Impact Study, a companion report to the annual Data Breach Investigations Report focused specifically on the financial cost of breaches rather than how they happen. The study analyzed approximately 70,000 US cyber insurance claims filed between January 2019 and October 2025, including 38,000 claims where the policy actually paid out. Unlike many breach cost reports that rely on average costs, which can be skewed by a small number of extreme cases, this report uses median figures. The median financial impact of a breach rose from around $60,000 in 2019 to $110,000 in 2025, an 80% increase that outpaced inflation over the same period by more than three times. More than half of paid claims exceeded $83,000, one in ten exceeded $920,000, and the most extreme 2.5% of cases exceeded $5 million.
Going deeper
Healthcare stood out in the dataset for specifically the size of its liability costs. The study included more than 8,640 healthcare claims with 5,100 recorded losses, and healthcare accounted for 23% of total losses across the entire dataset despite being one sector among many analyzed. The median liability loss in healthcare was 57% higher than the overall study average. Within healthcare, response and recovery costs made up 29% of total losses, business interruption accounted for 24%, and external liability made up 23%. Ransomware was the most common incident type prompting a healthcare claim, appearing in 39% of cases and representing 60% of total healthcare costs, with a median cost of $77,051 per ransomware incident. Business email compromise, where an attacker gains access to a legitimate email account and uses it to redirect payments or steal data, appeared in 22% of healthcare claims and accounted for 10% of total costs, with a median cost of $94,924, higher than the median ransomware cost despite occurring less frequently.
What was said
The report noted that business interruption was the single largest driver of losses across the full dataset, ahead of the direct financial loss to the threat actor and the cost of response and recovery combined. For software supply chain and third-party incidents specifically, the study found business interruption accounted for 50% of all losses. Those incidents were relatively rare, making up around 2% of claims, but when they occurred, costs were more than double the overall dataset average, with the most extreme cases exceeding $100 million in losses.
In the know
The Breach Impact Study's findings align closely with what the 2026 Verizon Data Breach Investigations Report documented earlier this year using a different dataset. That report found third-party involvement in breaches rose 60% year over year and now features in 48% of all breaches, according to SecurityWeek. The DBIR also found vulnerability exploitation had overtaken stolen credentials as the leading breach entry point for the first time in the report's 19-year history. The two reports come from the same authoring team and use overlapping data sources, and the financial figures in the Breach Impact Study give a dollar value to the operational patterns the DBIR describes in terms of frequency and technique.
The big picture
The gap between healthcare's median liability cost and the overall dataset average puts a specific number on a pattern that has been documented anecdotally for years, regulatory exposure, patient notification requirements, and litigation risk make healthcare breaches disproportionately expensive relative to their technical scope. A ransomware attack on a mid-sized medical practice carries the same operational disruption as a similar attack on a retailer, but the healthcare organization faces HIPAA notification obligations, OCR investigation risk, and a patient population whose data carries higher black-market value, all of which compound the liability side of the cost equation. The finding that business email compromise carries a higher median cost than ransomware in healthcare specifically is worth close attention, since BEC incidents often receive less security investment than ransomware defenses despite the higher per-incident cost documented here. According to Paubox's 2026 Healthcare Email Security Report, 53% of breached healthcare organizations in 2025 used Microsoft 365, the platform most commonly targeted in the credential theft and account takeover techniques that enable BEC.
FAQs
Why does the study use median costs instead of average costs?
A small number of extremely expensive breaches can pull an average cost figure far higher than what a typical organization actually experiences, making averages a misleading benchmark for planning purposes. Median costs represent the midpoint of the dataset, giving a more realistic picture of what most affected organizations actually pay.
Why is business email compromise more expensive per incident than ransomware in healthcare?
Ransomware costs are often concentrated in encryption recovery, business interruption during system downtime, and in some cases a ransom payment. BEC incidents frequently involve direct financial theft through fraudulent wire transfers or payment redirection, combined with the same notification and liability costs, without necessarily involving the operational downtime that comes with encrypted systems, which can make the financial loss itself larger relative to the total incident cost.
What does the SMB revenue ratio finding mean for smaller healthcare practices?
While small and mid-sized businesses had lower median breach costs in dollar terms than large enterprises, the study found the ratio of breach costs to insured revenue reached as high as 7% in the most extreme small business cases, compared to no more than 2% for large enterprises, even in extreme scenarios. A breach that would be a manageable expense for a large health system can be proportionally devastating for a small practice.
Why do third-party and supply chain incidents cost so much more when they occur?
When a vendor serving many client organizations is breached, the resulting business interruption often affects all of those clients simultaneously, multiplying the operational impact far beyond what a single organization's own breach would cause. The concentration of downstream dependencies is what pushes the most extreme third-party incidents past $100 million in documented losses.
How should healthcare organizations use this data in budgeting for cyber insurance and security investment?
The median costs by incident type give healthcare organizations a concrete benchmark for evaluating whether their cyber insurance coverage limits are adequate, particularly given that healthcare liability costs run well above the overall study average. The finding that BEC carries a higher median cost than ransomware also suggests security budgets that prioritize ransomware defense over email account protection may be misallocating resources relative to actual financial risk.
