120+ Latest Healthcare Cybersecurity Statistics for 2025

Healthcare Cybersecurity Statistics - Key Takeaways:

• 92% of healthcare organizations were targeted by cyberattacks in the past 12 months, an increase from 88% in 2023.

• 67% of healthcare organizations believe phishing and business email compromise negatively impacted patient care quality, highlighting the critical consequences of cybersecurity vulnerabilities.

• Ransomware attacks led to an average of nearly 19 days of downtime for U.S. healthcare organizations, demonstrating the severe operational disruptions caused by such incidents.

• 90% of healthcare organizations experience at least one security breach, with hacking/IT incidents accounting for 80% of cases in 2022.

• Healthcare data breaches cost an average of $408 per record, which is three times higher than the cross-industry average of $148 per record.

• Between 2020 and 2025, the healthcare sector is expected to invest $125 billion in cybersecurity tools and services, reflecting a 15% annual growth rate.

• Organizations leveraging AI and automation tools in cybersecurity detected and contained incidents 98 days faster than average and saved nearly $1 million in incident response costs.

Cybersecurity Spending and Resource Allocation

The Biden administration has proposed $800 million in funding within its 2025 budget to enhance cybersecurity in hospitals.

Between 2020 and 2025, the healthcare sector is expected to invest $125 billion in cybersecurity tools and services, reflecting a 15% annual growth rate.

By 2025, spending on healthcare cybersecurity will reach $5.61 billion, driven by the adoption of blockchain technology.

Cybersecurity budgets grew by 12%, averaging $66 million in 2024, with 19% of those funds dedicated to information security.

56% of healthcare organizations devote less than 10% of their IT budgets to cybersecurity measures.

41% of IT professionals in healthcare believe their organizations' financial commitments to cybersecurity are inadequate to support an effective strategy.

For 40% of cybersecurity teams in the healthcare sector, insufficient funding continues to pose a significant challenge, increasing organizational risk levels.

IT and Security Staffing Challenges

53% of organizations report a lack of in-house cybersecurity expertise.

46% of organizations struggle with insufficient IT staffing to address cybersecurity challenges.

Over 50% of healthcare organizations indicate they require additional support with IT security, and 30% report being understaffed or severely understaffed.

Only 14% of healthcare organizations state that their IT security teams are fully staffed.

49% of organizations identified the lack of clear leadership as a hindrance to a robust cybersecurity posture in 2024, a sharp rise from 14% in 2023.

Nearly 1 in 5 insiders responsible for data breaches were employed through a business partner or as a contractor.

System Vulnerabilities and Infrastructure Risks

Outdated IT equipment, including legacy operating systems or unsupported software, was the initial access point in 24% of the most severe security incidents.

Nearly half of organizations reported that more than 10% of their infrastructure consisted of legacy systems.

Legacy technology ranks as a top cybersecurity concern for 39% of healthcare cybersecurity professionals.

38% of organizations face between 50-350 cybersecurity attacks annually, while 13% report experiencing over 350 attacks.

In 2024, 34% of cyberattacks on healthcare organizations were due to vulnerability exploitation, 34% involved compromised credentials, 19% originated from malicious emails, 9% from phishing, and 5% were caused by brute force attacks.

Over the past two years, 69% of healthcare organizations experienced cloud or account compromises, averaging 20 incidents.

68% of organizations reported supply chain attacks over the past two years, averaging four incidents.

Internal issues like human error accounted for 26% of healthcare attacks, while 22% stemmed from IT failures, and 52% were caused by malicious actors.

31% of data loss or exfiltration incidents in healthcare in 2024 were due to employee negligence.

Other causes of data loss/exfiltration included accidental loss (26%), sending PHI/PII to unintended recipients (21%), privilege access abuse (20%), malicious insiders (15%), social engineering (13%), phishing (12%), use of stolen credentials (11%), and vulnerability exploitation (9%).

38% of organizations have fully implemented encryption safety controls for data at rest.

50% of organizations implemented encryption for data in transit.

Companies leveraging AI and automation tools in cybersecurity detected and contained incidents 98 days faster than the average.

Organizations employing AI and automation tools saved an average of nearly $1 million in incident response costs.

Phishing, Ransomware, and Cyberattack Trends

92% of healthcare organizations were targeted by cyberattacks in the past 12 months, an increase from 88% in 2023.

Over 90% of cyberattacks on healthcare entities involved phishing schemes.

88% of healthcare employees opened phishing emails in 2024.

Phishing-related incidents included 71% general email phishing, 67% spear-phishing, 27% voice phishing, 27% whaling, 23% business email compromise, 21% SMS phishing, 20% phishing websites, 16% social media phishing, 3% pharming, and 2% deepfakes.

Simulated phishing tests revealed that nearly 1 in 7 fake phishing emails were clicked on by healthcare staff.

64% of healthcare IT professionals consider their organizations vulnerable to business email compromise or phishing spoofing.

67% of organizations believe that phishing and business email compromise negatively impacted patient care quality.

45% of healthcare cybersecurity experts identified phishing as the primary cause of the most critical data breaches.

During the COVID-19 pandemic in 2020, phishing incidents surged by 220% year-over-year.

62% of organizations have incorporated ransomware threats into their cybersecurity strategies.

Two in three healthcare facilities reported ransomware incidents in 2022.

Ransomware attacks targeting healthcare entities doubled between 2016 and 2021.

In 2024, 67% of healthcare organizations worldwide experienced ransomware attacks, compared to 34% in 2021.

Over 11% of U.S. healthcare providers faced ransomware attacks in 2023.

Ransomware attacks led to an average of nearly 19 days of downtime for U.S. healthcare organizations.

36% of healthcare facilities reported increased medical complications due to ransomware.

74% of ransomware attacks focused on hospitals, while 26% targeted secondary institutions such as dental clinics and nursing homes.

Smaller healthcare providers are disproportionately targeted due to perceived weaker defenses.

61% of healthcare organizations paid ransom in 2021, up from 34% in 2020.

On average, only 64.8% of data was restored after paying a ransom.

Just 2% of organizations that paid the ransom recovered all their data.

72% of providers used backups to regain access to data post-ransomware attacks.

The average ransomware payment in 2021 was $197,000, a 33% increase from 2020.

65% of healthcare ransom demands exceeded $1 million, and 35% were $5 million or more.

In 2024, the median ransom demand for healthcare organizations was $4 million, with an average mean of $4.9 million.

Healthcare organizations with compromised backups faced median ransom demands of $4.4 million, compared to $1.3 million for those with secure backups.

The financial toll of ransomware attacks on U.S. healthcare organizations surpassed $14 billion.

The average recovery cost for a ransomware attack reached $1.85 million.

In 2024, the average financial disruption caused by cyberattacks was $1.47 million, a 13% rise from $1.3 million in 2023.

One in four organizations required more than a month to recover from a ransomware attack, with the average recovery period being one week.

In 2024, 59% of organizations endured ransomware attacks, averaging four incidents across two years.

While only 36% of organizations paid ransom in 2024—down from 40% in 2023—the average ransom climbed by 10% to $1.1 million.

Healthcare Data Breaches and Impacts

90% of healthcare organizations experience at least one security breach, with 30% of these breaches occurring in large hospitals.

76% of healthcare data breaches are caused by basic web application attacks, system intrusions, and miscellaneous errors.

Hacking/IT incidents accounted for 80% of cases in 2022, up from 4% in 2010.

Since 2014, hacking/IT incidents have been the leading cause of healthcare data breaches.

47% of data breaches reported to the U.S. Department of Health and Human Services since 2008 were linked to hacking/IT incidents.

In 2022, 44 million individuals were affected by hacking/IT data breaches, up from 900,000 in 2012.

Since 2009, hacking/IT breaches have impacted 319 million individuals, equivalent to 96% of the U.S. population.

58% of the 77.3 million individuals affected by data breaches in 2023 were due to attacks on healthcare third-party providers, a 287% increase from 2022.

More than 28% of all data breaches occurred at healthcare organizations, with 35% of these breaches reported at third-party vendors.

The average hacking/IT breach compromised 131,100 records.

In 2023, U.S. healthcare providers faced 809 cases of data compromises.

From January to November 2024, 520 resolved cases of data violations involving U.S. healthcare organizations were reported.

Between 2018 and 2023, healthcare ransomware attacks surged by 278%, hacking-related incidents rose by 239%, and data breaches increased by 93%.

Unauthorized access or disclosure of sensitive data is the second-most common cause of healthcare information leaks.

More than 34% of data breaches in healthcare organizations were due to unauthorized access or disclosure.

In the first half of 2024, 13 reports of data breaches involving lost or stolen electronic devices and paper records containing ePHI were made, an 85.7% increase compared to the first half of 2023.

In the first half of 2024, 387 data breaches involving 500 or more records were reported to the Health and Human Services’ Office for Civil Rights, marking an 8.4% rise from the same period in 2023.

In the first half of 2024, information stored on network servers was the most frequently breached data source in U.S. healthcare.

In 2015, more than 112 million health data records were breached in the United States, the highest number recorded in a single year.

At least 14 million patients in the U.S. were impacted by healthcare data breaches in 2024.

Healthcare cyberattacks affected more than 100 million people in 2023.

In 2024, approximately 45.6 million healthcare records were compromised, compared to 50 million in 2023.

Healthcare data breaches cost an average of $408 per record, three times higher than the cross-industry average of $148 per record.

The average cost for a healthcare data breach in 2024 was $9.8 million, down from $10.9 million in 2023.

Breached healthcare information can be 50 times more valuable than financial information.

Complete medical information can sell for up to $1,000.

According to HIPAA, healthcare data breaches in the U.S. have decreased by 48%.

Patient Care and Safety Impacts

70% of IT professionals reported that cybersecurity attacks targeting their supply chains disrupted patient care.

67% of organizations believe that phishing and business email compromise attacks negatively impacted the quality of patient care.

67% of IT professionals think that technologies such as the cloud, big data, and IoT (internet of things) exacerbate threats to patient safety and information integrity.

74% of ransomware attacks were aimed at hospitals, while 26% targeted secondary institutions like dental services and nursing homes.

Nearly 25% of healthcare IT staff indicated that ransomware attacks led to an increase in patient mortality rates.

28% of organizations reported higher patient mortality due to cyberattacks in 2024, a 21% increase compared to the previous year.

56% of organizations experienced delays in procedures or tests caused by cyberattacks in 2024.

64% of ransomware attacks resulted in procedural delays, and 48% contributed to complications from medical procedures.

61% of impacted organizations reported delays that caused poor outcomes, while 58% noted extended hospital stays in 2024.

53% of organizations saw an increase in medical complications stemming from cyberattacks in 2024.

36% of healthcare facilities attributed medical complications to ransomware attacks.

51% of these organizations linked data loss to heightened mortality rates, while 37% connected delays to adverse outcomes.

37% of healthcare IT professionals acknowledged not backing up sensitive data.

58% of the 77.3 million individuals affected by data breaches in 2023 were impacted by attacks on healthcare third-party providers, representing a 287% increase compared to 2022.

In 2024, 389 U.S. healthcare institutions experienced shutdowns or delays in medical procedures due to ransomware attacks.

In 2024, 70% of affected organizations reported negative impacts on patient care because of cyberattacks.

43% of patients expressed concerns about privacy and cybersecurity in telehealth treatment.

Cybersecurity Policies, Training, and Response

Over 75% of healthcare employees report receiving cybersecurity awareness training.

25% of healthcare workers who believed they needed cybersecurity training were not offered any.

41% of healthcare providers simulate phishing attacks to educate staff about cybersecurity risks.

48% of healthcare providers incorporate prevention and response measures for phishing attacks into their cybersecurity strategies.

Only 37% of hospitals conduct annual cybersecurity incident response exercises.

Just 50% of healthcare organizations perform regular cybersecurity audits.

34% of healthcare employees were unsure if their workplace had a cybersecurity policy.

Only 13% of healthcare organizations monitor cyber threats more than once per day.

44% of organizations tracked 1–50 cyber threats annually, while 38% tracked 50–350 threats annually.

98% of healthcare organizations with encrypted data successfully recovered it, with 73% using backups, 53% paying ransom, and 29% employing other recovery methods.

Organizations leveraging AI and automation tools in cybersecurity detected and contained incidents 98 days faster than average.

51% of organizations include medical device security in their cybersecurity strategies.

Only about 40% of U.S. healthcare organizations using generative AI had policies governing its use.

Insurance and Financial Implications

In 2024, 67% of healthcare organizations faced ransomware attacks, up from 60% in 2023 and nearly double the 34% reported in 2021.

Only 47% of ransom payments were covered by cybersecurity insurance policies.

Healthcare organizations incurred a mean recovery cost of $2.57 million from ransomware in 2024, compared to $2.2 million in 2023.

Median recovery costs for organizations with compromised backups reached $750,000, which is double the $375,000 cost for those with secure backups.

In 2024, just 22% of ransomware victims in healthcare fully recovered within a week or less, down from 47% in 2023 and 54% in 2022.

37% of healthcare organizations required over a month to recover from ransomware attacks in 2024, an increase from 28% in 2023.

90% of private sector healthcare organizations reported ransomware attacks caused losses in business and revenue.

The average cost of a healthcare data breach in 2024 was $9.8 million, a decrease from $10.9 million in 2023.

The most expensive healthcare breach in the US amounted to $4.4 million, with the following breakdown: lost productivity ($1.1 million), disruption to operations ($1 million), damage to IT infrastructure ($930,000), remediation activities ($708,000), and mitigating patient care impacts ($664,000).

50% of healthcare data breaches result in identity theft, costing victims an average of $2,500 out-of-pocket.

Healthcare data breaches cost an average of $408 per record, which is three times higher than the cross-industry average of $148 per record.

Organizations using AI and automation reduced incident response costs by nearly $1 million on average.

SOURCES:

HIPAA Journal

Wired

Healthcare Dive

BDO Insights

Security Intelligence

IBM Reports

SecurityScorecard

Maine AG Viewer

KPMG

Statista

Proofpoint Report