In This Article
- The 14-Year Streak No Healthcare Leader Wants
- Anatomy of the Modern Healthcare Breach
- What Is Actually Inside the $7.42 Million Number
- The OCR Settlement Pattern Every Practice Should Read
- Why This Is a Microsoft 365 Governance Problem in Disguise
- How ABT Guardian for Healthcare Closes the Gap
- Frequently Asked Questions
The 2025 IBM Cost of a Data Breach Report landed with a number that should stop every healthcare CEO and CISO mid-sentence. The average healthcare breach now costs $7.42 million. That is down 24% from the prior year, but it is still the highest of any industry. That is 14 years in a row. For context, the U.S. cross-industry average is $10.22 million, and healthcare's combination of long detection times and regulatory exposure keeps it well above the global baseline of $4.44 million.
For practice owners, hospital IT directors, and CISOs sitting across from auditors, plaintiffs' attorneys, and HHS investigators, the headline number is not the story. The story is what is underneath the number and why the same root cause keeps showing up in every settlement HHS has published since the Change Healthcare incident.
This article walks through the 2025 IBM data, the two case studies that made 2024 the most expensive year in healthcare cybersecurity history, the OCR enforcement pattern that has produced four ransomware settlements and a malicious-insider settlement in the past 12 months, and the Microsoft 365 governance work that prevents the next one.
The 14-Year Streak No Healthcare Leader Wants
IBM's Cost of a Data Breach Report has tracked breach costs by industry since 2011. Healthcare has held the top spot every single year. The 2025 number ($7.42 million average per healthcare breach) is the lowest in five years, but the context matters. The U.S. national average across all industries hit $10.22 million in 2025, driven by regulatory fines and longer detection windows. Healthcare's drop reflects faster identification and containment in the largest health systems, not a softer threat landscape.
The mean time to identify and contain a healthcare breach is 279 days. That is five weeks longer than the global average. Every additional day inside the network is a day an attacker is exfiltrating records, encrypting backups, or pivoting into a connected vendor's environment. For a 200-bed community hospital, 279 days is enough time to lose a season of revenue.
The 14-year streak is not bad luck. It is the predictable output of three structural conditions that no other industry shares at the same intensity:
Why Healthcare Stays at the Top
One: protected health information is the highest-value record on the dark web because it includes financial identifiers, insurance numbers, and medical history that does not expire. Two: clinical operations cannot tolerate downtime, which makes ransomware payments rational in the moment. Three: the average healthcare organization runs hundreds of connected vendors, devices, and applications, and each one is a potential entry point that examiners hold the provider accountable for.
Anatomy of the Modern Healthcare Breach
Two events in 2024 reshaped how the industry thinks about breach cost. Both are still being paid for in 2025 and 2026.
Change Healthcare. In February 2024, a ransomware attack on UnitedHealth Group's Change Healthcare subsidiary disrupted claims processing for thousands of providers across the country. By the time Change Healthcare reported the breach to OCR, the affected population reached 192.7 million individuals, making it the largest healthcare breach ever reported. UnitedHealth's most recent estimate puts the cost of the incident at approximately $2.45 billion. The attackers entered through a remote-access portal that did not require multi-factor authentication.
Ascension. In May 2024, ransomware hit Ascension, one of the largest non-profit health systems in the country. The attack forced 140 hospitals onto downtime procedures, diverted ambulances, and exposed the records of 5.6 million patients. Ascension reported a fiscal 2024 operating loss of approximately $1.8 billion, with the cyber incident a primary contributor. The system's fiscal 2025 results show a $1.3 billion year-over-year improvement in operating loss, demonstrating just how long the financial drag persists after the attackers are gone.
The Pattern
In both cases, attackers used credential-based access against a Microsoft or web-facing identity surface. In both cases, the entry point was not a zero-day. It was an identity control that had been left in the default configuration. The bill arrived months later in the form of operating losses, class actions, regulatory inquiries, and patient notification costs.
What Is Actually Inside the $7.42 Million Number
The 2025 IBM report breaks the U.S. average down into components that healthcare leaders should know by heart:
- $398 per compromised record in healthcare, the highest per-record cost of any industry tracked.
- 279 days mean time to identify and contain a healthcare breach.
- $10.22 million average breach cost across all U.S. industries, with regulatory fines and detection delays as the two biggest drivers of the U.S. premium over the global average of $4.44 million.
- 80 days saved when AI and automation are deployed extensively in security operations, a savings of nearly $1.9 million on average per breach.
For a 50-physician practice that holds 75,000 patient records, the per-record cost alone implies a $29.8 million exposure if the entire database were exfiltrated. That is not a theoretical number. It is the calculation a plaintiffs' attorney runs on day one of a class action.
The bill from a healthcare breach is not paid in the week after the attack. It is paid over the 24 months that follow, in operating losses, in OCR corrective action plans, and in patient trust that does not return.
The OCR Settlement Pattern Every Practice Should Read
The HHS Office for Civil Rights has been very explicit about what regulators want to see when they walk into a covered entity after a breach. Five settlements in the past 12 months tell the same story:
| Settlement | Amount | Records Affected | Root Cause Cited by OCR |
|---|---|---|---|
| BayCare Health System (FL) | $800,000 | 1 patient, malicious insider | Failed risk analysis, inadequate access logging |
| Assured Imaging | $375,000 | ~245,000 | Never conducted a compliant risk analysis (PYSA ransomware) |
| Axia Women's Health (Regional Women's Health Group) | $320,000 | 37,989 | Risk analysis failure, ransomware exfiltration |
| Star Group / SG Health Plan | $245,000 | 9,316 | Risk analysis failure, ransomware |
The HHS OCR press releases use almost identical language across all four ransomware cases. The phrase OCR keeps printing: a failure to "conduct an accurate and thorough risk analysis to identify risks and vulnerabilities to electronic protected health information." Every corrective action plan requires the entity to perform a compliant risk analysis going forward, develop a risk management plan to bring vulnerabilities to a reasonable level, and submit to two years of OCR monitoring.
Read This Twice
OCR is not citing these entities for the ransomware. OCR is citing them for not knowing the ransomware could happen. The HIPAA Security Rule requires a documented, current, accurate risk analysis. A breach without a defensible risk analysis on file is a settlement waiting to be drafted.
Why This Is a Microsoft 365 Governance Problem in Disguise
The Change Healthcare attack vector was an identity portal without MFA. The Ascension entry point involved credential-based access. The four ransomware settlements above all involve practices that ran Microsoft 365 in a configuration that left identity, audit logging, and data-loss prevention close to the out-of-the-box defaults.
For most healthcare organizations, the gap is not a missing tool. It is a missing configuration baseline. Microsoft 365 ships with Entra ID, Conditional Access, Purview audit logging, Defender for Office 365, Intune device management, and Information Protection sensitivity labels. All of them can be configured to meet HIPAA Security Rule expectations. Very few practices actually have them turned on, tuned, and monitored for drift.
That is the gap OCR keeps finding. A practice signs a Microsoft Business Associate Agreement (Microsoft offers a HIPAA BAA for Microsoft 365 and Azure, documented at learn.microsoft.com/en-us/compliance/regulatory/offering-hipaa-hitech), assumes the BAA equals compliance, and never completes the tenant-side hardening that the BAA explicitly requires the customer to do. The Microsoft BAA is necessary. It is not sufficient.
A practice with a signed Microsoft BAA, default Conditional Access policies in report-only mode, audit logs retained for 90 days, no DLP policies for PHI, no sensitivity labels, and no documented risk analysis tying tenant settings to HIPAA Security Rule requirements.
A documented, accurate risk analysis. A risk management plan with prioritized remediation. Continuous review of tenant configuration. Two years of OCR monitoring under a corrective action plan. A six-figure settlement that becomes a public press release.
How ABT Guardian for Healthcare Closes the Gap
ABT manages Microsoft 365 tenants for highly regulated organizations. Guardian is ABT's operating model for that work. It runs four phases on a continuous loop: hardening, monitoring, insights, and response. For healthcare practices, every phase maps to a HIPAA Security Rule expectation and to the specific findings OCR has been citing in 2025 settlements.
Hardening. ABT deploys a tenant baseline that turns on MFA enforcement through Entra ID Conditional Access, configures Purview audit log retention for the duration HIPAA expects, applies DLP policies that detect protected health identifiers, and turns on Defender for Office 365 anti-phishing for the email surface that produces most healthcare breaches.
Monitoring. Guardian checks tenant health continuously against 160-plus Microsoft Secure Score controls. When a setting drifts from the baseline (someone disables Conditional Access for a vendor account, a new admin account is created without MFA, an external sharing link gets created for a folder labeled PHI), Guardian flags it. The output is the evidence trail OCR expects in a current, accurate risk analysis.
Insights. Guardian Security Insights produces the kind of artifact that a HIPAA risk analysis looks like in 2026. It documents what is in the tenant, what is exposed, what is at risk, and what has been remediated. The same evidence supports cyber insurance applications, examiner inquiries, and board reporting.
Response. When something does fire, Guardian's automated session revocation kicks in. Any risky sign-in event triggers a Graph API call that immediately kills all refresh tokens across every device and session for the affected identity. That is the difference between a 279-day breach and a contained event.
If your last HIPAA risk analysis is older than 12 months, OCR has an opinion about that.
ABT runs HIPAA-aligned Microsoft 365 tenant assessments for healthcare practices, clinics, and hospital IT teams. The output is the documented risk analysis OCR expects, plus a remediation path that uses the Microsoft licenses you already own.
Talk to a Healthcare Specialist Get Your Microsoft Secure ScoreThe $7.42 million question is not whether your practice can afford the breach. It is whether you can produce the risk analysis OCR will ask for the day after.
Frequently Asked Questions
According to the IBM Cost of a Data Breach Report 2025, the average cost of a healthcare data breach is $7.42 million, the highest of any industry for the 14th consecutive year. The U.S. national average across all industries reached $10.22 million in 2025, driven by regulatory fines and detection delays. Healthcare also has the longest detection and containment time at 279 days.
The HIPAA Security Rule requires every covered entity and business associate to conduct an accurate and thorough risk analysis of vulnerabilities to electronic protected health information. When OCR investigates a breach, the first document it asks for is the current risk analysis. If the document is missing, outdated, or does not match what is actually deployed in the environment, OCR treats the gap as the underlying violation and issues a corrective action plan plus financial settlement. Five recent settlements (BayCare, Assured Imaging, Axia Women's Health, Star Group / SG Health Plan) all cite this exact failure.
No. The Microsoft Business Associate Agreement covers Microsoft's responsibilities for the underlying cloud service, including Microsoft 365 and Azure services that handle protected health information. The BAA does not configure your tenant, enforce MFA, set DLP policies, retain audit logs, or document your risk analysis. Those responsibilities sit with the covered entity. Microsoft documents the split at learn.microsoft.com under the HIPAA HITECH offering page. A signed BAA plus an unhardened tenant is the configuration OCR keeps finding when it issues settlements.
UnitedHealth Group has disclosed an estimated cost of approximately $2.45 billion for the Change Healthcare ransomware incident, which exposed records belonging to 192.7 million individuals. Ascension reported a fiscal 2024 operating loss of approximately $1.8 billion, with the May 2024 ransomware attack as a primary contributor; its fiscal 2025 results show a $1.3 billion year-over-year improvement in operating loss, demonstrating how long the financial drag from a healthcare breach persists.
ABT Guardian is an operating model that wraps around a healthcare practice's Microsoft 365 tenant. It runs four continuous phases: hardening (MFA enforcement, Conditional Access, Purview audit log retention, Defender for Office 365, DLP for protected health identifiers), monitoring (continuous checks against 160-plus Microsoft Secure Score controls, drift detection against the baseline), insights (documented evidence that satisfies HIPAA risk analysis expectations and OCR inquiries), and response (automated session revocation that kills refresh tokens on any risky sign-in). The output is the kind of evidence trail OCR has been asking for in 2025 settlements.