IBM has published the 2025 Cost of a Data Breach Report, which shows a fall in the global average cost of a data breach, but an increase in the cost of U.S. data breaches, which have set a new record at $10.22 million, increasing by 9.2% from an average of $9.36 million in 2024. The higher data breach costs in the United States were largely due to higher regulatory fines and detection and escalation costs. Globally, data breach costs have fallen for the first time in five years to an average of $4.44 million.

Global average cost of a data breach in 2025 (in millions). Source: IBM
IBM has been releasing data breach cost reports for the past 20 years. This year, the study was conducted on 600 organizations of various sizes from 16 countries and geographic regions. Out of the 600 organizations participating in the study, 16% were located in the United States and Canada. The report is based on an analysis of data from organizations in 17 industries, 2% of which are in the healthcare industry.
There has been a fall in the cost of healthcare data breaches in the United States, which dropped by $2.35 million year-over-year to an average of $7.42 million. While the cost of a healthcare data breach has fallen significantly, healthcare data breaches are still the costliest out of all industries studied by IBM, and have been for the past 14 years.
Globally, the time to identify and contain a data breach fell to a 9-year low of 241 days, reducing by 17 days compared to 2024. IBM explains that the reduction in average containment time was largely due to a higher number of organizations detecting the data breach internally rather than being notified by an attacker. Healthcare data breaches took the longest to identify and contain, at an average of 279 days, five weeks longer than the global average breach lifecycle.
Phishing was the leading initial access vector in 2025, accounting for almost 16% of data breaches, replacing stolen credentials (10%), last year’s leading initial access vector, which fell to third spot behind supply chain compromise (15%). Ransomware continues to be a problem for healthcare organizations; however, more organizations are choosing not to pay ransoms. Last year, 59% of organizations that experienced a ransomware attack refused to pay the ransom, increasing to 63% this year. With fewer organizations making payments, ransom demands have remained high, with an average of $5.08 million demanded for attacker-disclosed attacks. Fewer victims of ransomware attacks involve law enforcement, even though law enforcement involvement shaved an average of $1 million off data breach costs last year. In 2024, 52% of ransomware victims contacted and involved law enforcement, compared to 40% in 2025.
Data breaches invariably result in operational disruption, with almost all breached organizations reporting at least some disruption to operations as a result of a breach. The majority of breached organizations took more than 100 days to recover from a data breach. While breached organizations often absorb the cost of a data breach, this year, almost half of the organizations that suffered a data breach said they would be raising the price of goods and services as a result, with almost one-third planning to increase costs by 15% or more due to a data breach.
Each year, the cost of a data breach report identifies the main factors that increase or decrease breach costs. The biggest components in breach costs were detection and escalation ($1.47 million), lost business ($1.38 million), and post-breach response ($1.2 million), although IBM notes that detection and escalation costs fell by almost 10% compared to last year, and lost business and post-breach response costs also fell.
Based on a global average cost of $4.88 million, the most important factors for reducing data breach costs were adoptiong a DevSecOps approach (-$227K), AI-driven and ML-driven insights (-$223K), security analytics or SIEM (-$212K), threat intelligence (-$211K), and data encryption (-$208K). The main factors that increased breach costs were supply chain breaches (+$227K), security systems complexity (+$207K), shadow IT (+$200K), and AI tool adoption (+$193.5K).
Shadow IT – unauthorized use of software and devices – was a new addition to this year’s top three factors increasing data breach costs. Shadow IT increases the attack surface and creates a security blind spot, and IBM warns that many organizations are failing to look for shadow IT, so it remains undetected and can provide an easily exploitable backdoor into networks. On average, organizations with a high level of shadow IT experienced data breach costs $670K higher than organizations with a low level of shadow IT.
For this year’s report, IBM looked at the adoption of AI and found that AI adoption is outpacing governance. The majority of organizations that have adopted AI solutions said they did not have AI governance policies to mitigate or manage the risk of AI. Organizations lacking AI governance paid higher costs when breached. IBM has determined that AI models and applications are an emerging attack surface, especially in the case of shadow AI. This year, 13% of organizations reported a security incident involving an AI model or application that resulted in a data breach, and an overwhelming majority of those breached organizations – 97% – said they lacked proper AI access controls.
There has been growing concern about the use of generative AI by threat actors, such as for accelerating malware development and creating text and images for phishing and social engineering campaigns. IBM looked at the prevalence of AI-driven attacks and found that 16% of breaches involved the use of AI by attackers, with the majority of those attacks involving phishing (37%) or deepfakes (35%).
Last year, almost two-thirds of organizations said they would be increasing investment in cybersecurity over the next 12 months, but only 49% of organizations are planning to increase investment in the next 12 months. Fewer than half of the organizations planning to increase security investment said they were focusing on AI-driven solutions or services.
The post Average Cost of a Healthcare Data Breach Falls to $7.42 Million appeared first on The HIPAA Journal.