Verizon Releases Inaugural Breach Impact Study
Verizon Business has released the findings from its inaugural Breach Impact Study, which focuses on the financial impact of data breaches. The BIS report is from the same authoring team as the Verizon Data Breach Investigations Report and was produced in partnership with CyberAcuView. The report is based on an analysis of around 70,000 U.S. cyber insurance claims, including 38,000 claims where the policies paid out. The data spans from January 2019 to October 2025.
In contrast to many data breach cost reports, the report is based on median claim amounts rather than averages, which are susceptible to skewing. In 2019, the median financial impact was around $60,000, rising by 80% to $110,000 in 2025, with data breach costs outpacing inflation, which was around 23% over the period of the study. More than half of paid-out claims exceeded $83,000, with 10% having an impact of $920,000 or more. The most extreme 2.5% of cases exceeded $5 million in losses.
The report shows that data breach costs almost doubled between 2019 and 2025, with business interruption the single largest loss driver, followed by loss to threat actor and response and recovery.

Known losses over time. Source: Verizon 2026 Breach Impact Study.
For software supply chain and third-party incidents, business interruption accounted for 50% of all losses. Software supply chain incidents and third-party breaches are relatively rare, accounting for around 2% of claims in the dataset, but when they occur, they can be catastrophic, with costs more than double the overall dataset. In the most extreme cases, losses exceeded $100 million.
The median impact was around $38,000 in the SMB segment, rising to $96,000 in the mid-market segment, and $238,000 for large enterprises, with the top 2.5% of large enterprise claims exceeding $22 million per claim. While breach costs were relatively low in the SMB segment, the ratio of impact amounts to insured revenue was as high as 3% in the top 10% of cases, and was 7% in the most extreme cases. Without an insurance policy, these incidents could have been extremely damaging. In the mid-market and large enterprise segments, the ratio did not go above 2% in the top 2.5% of extreme cases.
Healthcare had relatively high external liability costs compared to other sectors. The dataset included more than 8,640 claims with 5,100 recorded losses. Healthcare accounted for 23% of total losses, with a median liability loss 57% higher than the overall dataset. Response and recovery accounted for 29% of total losses, followed by business interruption (24%) and external liability (23%).

Distribution of the economic impact of breaches in healthcare. Source: Verizon 2026 Breach Impact Study
The most common incident type in healthcare that prompted a claim was a ransomware attack (39%), which represented 60% of the total cost with a median cost of $77,051. Business email compromise (BEC) was involved in 22% of cases, accounting for 10% of the costs, with a median cost of $94,924.
The post Verizon Releases Inaugural Breach Impact Study appeared first on The HIPAA Journal.
Understanding the Medicare HETS – DynamicChiropractic.com
AI is already in your medical practice. The question is whether it’s there legally – Medical Economics
HHS Provides Update on its Artificial Intelligence RFI – The HIPAA Journal
HHS Provides Update on its Artificial Intelligence RFI
The Department of Health and Human Services (HHS) has provided an update on how it plans to accelerate the adoption of artificial intelligence (AI) in clinical care settings. AI has tremendous potential for improving efficiency in healthcare, achieving better patient outcomes, and lowering healthcare costs for Americans; however, there are risks associated with AI implementation in healthcare.
The HHS issued a Request for Information (RFI) in December 2025 on how AI tools can be used to deflate healthcare costs, as part of the Make America Healthy Again initiative. HHS Secretary Robert F. Kennedy Jr. sought broad public input on how the HHS could use its regulatory, reimbursement, and research & development levers to enable AI adoption to propel the U.S. healthcare system forward.
The HHS sought information on how digital health and software regulatory frameworks should evolve to account for AI-driven tools while maintaining patient safety; whether reimbursement structures could be simplified and better aligned to support the use of efficient, deflationary technologies; and whether research and development investments could strengthen implementation science and best practices. The HHS received more than 7,000 comments from healthcare providers, researchers, and industry groups in response to the RFI.
U.S. healthcare spending increased by 7.3% to a record $5.7 trillion in 2025, according to the HHS Centers for Medicare and Medicaid Services (CMS), and costs are expected to continue to rise. While spending accounted for 18% of GDP in 2024, it is expected to rise to more than 20.5% by 2034. AI could play a vital role in reducing healthcare costs, including automating administrative tasks and patient communications, and helping patients manage their health conditions; however, implementing AI tools within a strict regulatory framework is a challenge due to the privacy and security risks associated with these tools. Other risks include inaccurate outputs, biased data, and model degradation over time.
During a webinar last week, HHS leaders shared some of the feedback received in response to last year’s RFI, explaining that there was a broad consensus that the healthcare industry wanted better coordination across HHS agencies, support in implementation and creating governance structures, and guidance on what makes a good AI tool and which AI tools work well.
“We believe that starting with these three things and acting on constant engagement from this community is what’s needed to establish trust. And trust in this technology is the only thing that will lead to responsible, but also effective, adoption,” HHS deputy chief AI officer, Arman Sharma, said. The HHS is keen to have AI tools used beyond administrative applications, including assisting with direct patient care. “Our goal is to improve access, affordability and the impact of healthcare through technology, including AI,” Dr. Thomas Keane, national coordinator for health IT, said.
The HHS shared some of the steps it has taken already to speed up AI implementation. For instance, the Advanced Research Projects Agency is working on the development of AI agents for autonomously managing cardiovascular disease care, and the Administration for Community Living has launched a competition for developers to create AI tools to help caregivers provide care to older Americans with disabilities.
Meanwhile, the FDA is currently working on providing greater clarity on what is regulated, what is required from developers, new policy proposals concerning autonomous AI-enabled medical technologies, and is developing regulations proportionate to the risk posed by AI tools throughout their lifecycle, and is coordinating closely with other government agencies, professional groups, and international regulators.
The post HHS Provides Update on its Artificial Intelligence RFI appeared first on The HIPAA Journal.
Take the Guesswork out of HIPAA Compliance for Small Practices
Removing guesswork from HIPAA compliance means replacing assumptions about what a practice has covered with a documented process that maps directly to the requirements of the HIPAA Privacy Rule, the HIPAA Security Rule, and the HIPAA Breach Notification Rule. Small practices frequently operate on inherited assumptions: a predecessor set up a policy years ago, a staff member attended a training session at some point, or a binder was purchased and filled out once. None of those assumptions can be verified on demand, and an inability to verify is treated the same as noncompliance during a regulatory review. A defined process removes that ambiguity by producing evidence rather than relying on memory or informal practice.
The Uncertainty Small Practices Face Under HIPAA
Owners and office managers at small practices commonly cannot answer basic questions about their own compliance status without checking multiple sources or guessing. Common uncertainty includes whether the Security Risk Analysis on file reflects the practice’s current systems, whether every staff member has completed required training within the correct timeframe, and whether the breach notification procedure matches current regulatory timelines. This uncertainty is not a knowledge problem specific to any one practice. It reflects the fact that HIPAA compliance touches administrative operations, physical security, technology, and workforce management simultaneously, and few practices have a single system that tracks all four areas together.
Three Rules, One Standard: What Compliance Actually Covers
The HIPAA Privacy Rule governs how protected health information is used and disclosed, the HIPAA Security Rule requires administrative, physical, and technical safeguards for electronic protected health information, and the HIPAA Breach Notification Rule sets specific timelines and procedures for notifying affected individuals and regulators when a breach occurs. These three rules are evaluated together during an investigation, not separately. A practice with strong technical safeguards but no documented breach notification procedure has not met its obligations any more than a practice with a written privacy policy that staff were never trained on. Meeting the standard requires all three rules to be addressed in a coordinated, documented way.
Where Guesswork Creates Regulatory Exposure
Regulatory exposure tends to concentrate in a small number of predictable gaps. A Security Risk Analysis completed once and never updated no longer reflects the practice’s actual systems or vulnerabilities. Training records that exist but are not tied to specific policy versions cannot demonstrate that staff were trained on current requirements. Breach response procedures written in general terms, without practice-specific roles and timelines, slow down the notification process when an actual incident occurs. Each of these gaps originates from treating a HIPAA requirement as a one-time task rather than a maintained record, and each one is identifiable and correctable before it becomes a finding in an investigation.
Replacing Assumptions With a Documented Process
A documented compliance process converts uncertainty into a verifiable record. This starts with a current Security Risk Analysis specific to the practice’s systems and physical locations, followed by written policies drawn from that analysis rather than a generic template, individual training records tied to those policies, and a breach response procedure with defined roles and notification timelines under the HIPAA Breach Notification Rule. When these elements exist together and are kept current, a practice can respond to a regulator’s request with a specific answer rather than an estimate. The process itself, not the intention behind it, is what a review evaluates.
A Program Built for the Practice, Not a Generic Template
Generic templates require a practice to adapt broad language to its own operations, and that adaptation is frequently where gaps form, since staff without regulatory training are left to interpret which parts of a template apply to them. Software built specifically for HIPAA compliance management removes that interpretation step by generating a program directly from information about the practice’s own operations, locations, and systems. Abyde produces this kind of program, building the Security Risk Analysis, policies, and training requirements around a specific practice rather than handing over a document to be customized manually. Setup for a complete program of this kind typically takes a matter of hours, with maintenance running to a few minutes a month once the initial analysis and documentation are in place.
Support for Situations a Checklist Cannot Resolve
Not every compliance question has a fixed answer available in a checklist or a template. Determining whether a specific incident meets the threshold for breach notification, or how to handle an unusual request for records, requires judgment applied to the facts of that particular situation. Abyde includes direct access to compliance experts by phone or message as part of its subscription, giving practices a specific answer to a specific situation rather than a general reference document to interpret on their own. This kind of support matters most to the staff member responsible for day-to-day compliance, who needs a reliable answer at the point a question arises rather than a research process that delays a required response.
The post Take the Guesswork out of HIPAA Compliance for Small Practices appeared first on The HIPAA Journal.
Security Researcher Identifies Quintet of Bugs in Toolkit Used in DICOM Medical Imaging Software – The HIPAA Journal
Security Researcher Identifies Quintet of Bugs in Toolkit Used in DICOM Medical Imaging Software
A quintet of vulnerabilities has been identified in a DICOM toolkit – OFFIS DCMTK – that is extensively used in medical imaging software. DICOM (Digital Imaging and Communications in Medicine) is the universal technical standard used to store, transmit, print, and display medical imaging data and is used by virtually all medical imaging devices. Since the toolkit is used in many medical imaging software solutions, the vulnerabilities are significant.
Successful exploitation of the vulnerabilities could expose patient information, disrupt DICOM storage or worklist services, exhaust service memory, crash imaging services, or cause DCMTK-based clients to write files outside the intended output directory. The vulnerabilities were identified by independent security researcher Abhinav Agarwal, who reported them to the U.S. Cybersecurity and Infrastructure Agency (CISA) and the vendor in May 2026. Agarwal identified the vulnerabilities using standard subscriptions to Claude and ChatGPT, then manually reviewed and confirmed the findings.
One of the vulnerabilities is rated critical with a CVSS v 3.1 base score of 9.8 (critical), and the other four vulnerabilities are rated high severity, with CVSS base scores ranging from 7.5 to 8.2 (v4.0: 8.7 to 8.8). CISA published a security advisory about the vulnerabilities on June 30, 2026.
The vulnerabilities affect OFFIS DCMTK versions prior to v3.7.0 and are tracked under the following CVEs:
| CVE | Severity | CVSS v3.1 | CVSS v4.0 | Vulnerability |
| CVE-2026-50003 | Critical | 9.8 | 9.3 | Improper limitation of a pathname to a restricted directory (path traversal) |
| CVE-2026-52868 | High | 8.2 | 8.8 | Improper limitation of a pathname to a restricted directory (path traversal) |
| CVE-2026-50254 | High | 7.5 | 8.7 | Missing release of memory after effective lifetime |
| CVE-2026-35505 | High | 7.5 | 8.7 | Missing release of memory after effective lifetime
|
| CVE-2026-44628 | High | 7.5 | 8.7 | Access of resource using incompatible type (Type confusion) |
According to CISA, the maintainer of the toolkit was informed about the vulnerabilities and has issued a fix; however, Agarwal contacted The HIPAA Journal to warn that the vendor has applied the fix upstream in the master branch, which means downstream libraries and operators will be unable to release with the fix to upgrade to it. Users will need a fixed release or a vendor-provided update path.
One of the problems with vulnerabilities in DICOM toolkits is that many end users may be using DICOM software with known, disclosed vulnerabilities and be unaware that their software is vulnerable, unless they are provided with a Software Bill of Materials (SBoM) and routinely check for vulnerabilities in all components. Agarwal suggested that healthcare entities should ask their imaging vendors whether DCMTK is present, what versions are used, whether the CISA advisories apply, and when patched builds will ship.
The post Security Researcher Identifies Quintet of Bugs in Toolkit Used in DICOM Medical Imaging Software appeared first on The HIPAA Journal.