The cost of healthcare breaches tops all industries, and AI emerges as a target

The healthcare industry retains an unwanted distinction when it comes to cybersecurity.

The average cost of a healthcare data breach has once again surpassed all other industries, according to a new report released today by IBM. In its annual report on the cost of breaches, the average healthcare data breach cost $7.42 million. It’s the 14th consecutive year that healthcare data breaches ranked as the most expensive in any industry.

The average cost of a health data breach has dropped compared to last year’s report, which put the average price tag at $9.77 million. Two years ago, the average price was $10.93 million.

• Read more: These are the biggest health data breaches in the first half of 2025

Limor Kessem, IBM Consulting’s global lead for cyber crisis management, tells Chief Healthcare Executive® that the drop in the average cost is encouraging, to a point.

“This is a good surprise, although, it's still beyond the other sectors, still a sector that suffers from data breaches,” she says. (See more of our conversation in this video. The story continues below.)

The gap between the cost of health data breaches and other industries remains substantial. The global average cost of a data breach, covering all industries, was $4.44 million, or about $3 million less than the cost of a data breach in the healthcare sector. It’s the first time in five years that the average global cost of data breaches has dropped.

Still, the drop in the average cost of a healthcare data breach reflects potentially positive developments, as more organizations are using AI tools in their cybersecurity plans, Kessem says.

“Overall, we're talking about more use of AI, more use of automation and AI becoming a lot more mainstream in security operations,” Kessem says. “I think that's paying dividends, in that sense. That's just containing and detecting and doing stuff a lot faster than the organizations would, and the more you cut the time to do things, the more money you save.”

The healthcare industry still took more time to detect breaches than other sectors.

On average, healthcare organizations needed 279 days to identify and contain breaches, more than five weeks longer than the worldwide average of all sectors, the report states.

The drop in the average cost of healthcare data breaches also suggests that attackers are also targeting smaller health organizations. Industry leaders say smaller hospitals and clinics are becoming more frequent targets for ransomware groups.

Attackers are “going after these smaller organizations for very obvious reasons, because they're lower hanging fruit in terms of just having a security budget, security tools, security staff,” Kessem says.

• Read more: Cybersecurity panel: How hospitals can protect their patients and their systems

AI-powered attacks

While healthcare organizations are using AI to bolster their defenses against cyberattacks, ransomware groups are also taking advantage of the technology.

“AI is doing good things for everyone. It's doing good things for the security teams. It's for organizations, for people's productivity, and for everyone,” Kessem says. “It also includes the attackers who are able to build better phishing very quickly.”

While some attackers years ago sent emails that were easy to spot as suspicious, because they were riddled with typos or used clunky language, ransomware groups are sending more polished messages that seem more authentic. Attackers are using AI to craft more convincing emails.

“They just tell an AI LLM to build a credible story,” Kessem says. “It doesn't have the mistakes and the funny syntax. They can do it a lot faster, in any language they want.”

And this is noteworthy because the healthcare industry has proven to be extremely susceptible to phishing attacks. “For the healthcare sector, by the way, phishing was the top attack vector where attackers made it through,” Kessem says.

Ransomware groups are also using AI tools to develop software to infiltrate organizations.

“They could write malware without knowing how to write malware. Just get the code, make sure it works, and proceed. So they're doing things a lot faster,” Kessem says.

For attackers that have some proficiency in writing code, AI tools help them to work faster, she adds.

More health systems are adding AI technologies, but The IBM report also indicates that many organizations haven’t developed governance policies for these solutions. The report found that nearly two-thirds of organizations that have suffered a breach don’t have any governance policy for their AI tools or they are still working on developing a policy. Even among those organizations that have adopted AI governance policies, only 34% say they perform regular audits for unsanctioned AI.

• Read more: What it’s like to negotiate with ransomware gangs

More AI vulnerabilities

Perhaps most distressing, the IBM report indicates some attacks involve the AI models or applications of organizations. It’s a fairly small number to date, with 13% reporting a breach tied to their AI models. However, nearly all (97%) of those that did report such breaches did not have proper access controls.

“AI comes, and everybody is really rushing to innovate. They really want to be first. They don't want to be left behind. They don't want to delay,” Kessem says. But too often, she says companies aren’t employing sufficient governance strategies because they view it as taking too long.

“That just is an overall problem that's going to keep growing,” Kessem says.

Kessem says there are growing vulnerabilities for breaches with “shadow AI,” where employees are using their preferred AI tools that haven’t been approved by their organizations. And organizations aren’t tracking those uses.

“I think this shadow AI thing is a big deal, because people tend to do it without thinking, just wanting to speed up their work, wanting to get things done, and it just happened,” Kessem says.

One in five organizations reported a breach tied to shadow AI, and only 37% said they have policies to manage or find it, according to the IBM report.

Companies with higher usage of shadow AI also had more costly breaches; the breach costs in those organizations was $670,000 higher than those with little or no shadow AI, the report states.

With greater use and vulnerabilities tied to AI, Kessem says it’s possible that there could be larger and more damaging cyberattacks in the near future.

“I think AI is going to make cyber attacks larger,” Kessem says. “I think by next year, we're going to be looking at a whole different story here.”