Skip to content

What is the True Cost of a Personal Health Information (PHI) Breach?

Chart showing cost of average PHI breach

For cyber criminals, Personal Health Information (PHI) is a highly valuable trove of data that can be sold for far more than any other personal records. A patient’s PHI contains their social security number, addresses, phone number, insurance information, prescriptions, diagnosis, as well as billing information. This creates an opportunity for cyber criminals to make big money in a PHI breach. For healthcare organizations, on the other hand, it poses the threat of significant losses. Healthcare security is becoming increasingly important.

The Importance of Protecting PHI

PHI is a unique data source because it contains information about a person’s identity that cannot be altered. Once a diagnosis is rendered, it is permanent. Similarly, prescribed medication, allergies, mental health records, and other medical data is unchangeable. For this reason, PHI is subject to strict confidentiality and disclosure requirements that don’t apply to most other industries.

Hackers pay up to $1000 for health records

Criminals Will Pay Up to $1000 for a Single Medical Record

When a person’s credit card or account number is stolen and used fraudulently, a quick trip to the bank and a change of digits can solve the problem. However, unalterable medical information can be used for many malicious purposes, from blackmail to stealing an identity. This is why cyber criminals are willing to pay only 25 cents for a credit card number, but they would pay up to $1000 for a single medical record.

Unique Cyber Security Issues in Healthcare


While healthcare organizations must meet stringent requirements to protect patient data, compliance doesn’t necessarily mean that PHI is secure. As technology evolves quickly and the healthcare industry relies more on connected medical devices, servers and PCs, regulations can’t keep up with hackers’ sophisticated game. Other industries do not rely on such an extended ecosystem of connected technology — especially when it comes to the life or death situations that are common in healthcare.

While all modern industries face cyber security challenges, the healthcare sector is a huge target for criminals. The extensive data found in patient records, the vast ecosystem of possible attack surfaces, and the life or death situation created by a breach makes healthcare organizations particularly vulnerable. For these reasons, the healthcare industry can count on cyber criminals to be more frequent and more persistent when attempting to hack into their systems.

The Cost of a PHI Breach


After a PHI breach, healthcare organizations must take a number of actions to contain the breach and meet compliance regulations, and these expenses add up. Organizations must pay for regulatory fines, notification expenses, identity theft repair, and credit monitoring.

Data breaches cost $408 per health record

The Average Cost of a Healthcare Data Breach is $408 Per Health Record

The number of records involved in a single data breach at a healthcare organization contributes to the monumental cost and the scale of the aftermath. According to Protenus’ 2020 Breach Barometer, over 40 million patient records were breached in 2019 alone. At $408 per health record, costs add up quickly even for the smallest breaches.

Healthcare Data Breaches Cost 65% More Than Data Breaches in Other Sectors

As soon as a person is born, their PHI is stored within the IT infrastructure of a healthcare organization. Since the simple act of being born often makes a person an active participant in the healthcare system, this means that most people are vulnerable to a healthcare data breach.

In fact, according to the American Academy of Pediatrics, “Children can be especially vulnerable [to healthcare data breaches]. It may take years or even decades for them to be made aware that their personal information has been compromised, especially if their healthcare provider is unaware of a breach.”

The healthcare system is not only uniquely vulnerable to cyber-attacks, its monumental database of valuable information makes it a massive target for hackers. This results in unparalleled costs in the aftermath of a data breach.

Preventing a Data Breach

Whether you are an app developer for connected medical devices or you are an information security officer at a large healthcare organization, it is your job to protect valuable patient information. Automated, intelligent security solutions are key, and performing vulnerability assessments regularly is critical. Ensuring proper cyber security hygiene from end-to-end is an organization’s best bet for preventing a PHI breach and protecting all aspects of the vast healthcare ecosystem.



Protenus: 2020 Breach Barometer 

AAP News: Children Especially Vulnerable to Cybersecurity Attacks in Healthcare

Forbes: Your Electronic Medical Records Could Be Worth $1000 To Hackers

Ponemon Institute: 2019 Cost of a Data Breach Report

Do you have questions about applications and content security?

Book a call with one of our experts

Want to keep up with Verimatrix news?

Sign up to the newsletter

Recent Posts

5 Misconceptions of Root Detection

Most mobile security architects and app development are aware of the dangers of running their apps on rooted devices (or Jailbroken in iOS terminology). At

Broadcast Trade Shows Are Back!

It’s been a while since the trade show circuit has been operating at maximum capacity. We have seen the one-off event, local mixer and hybrid

Streamkeeper Named a Product of the Year

Streamkeeper Named a Product of the Year

Verimatrix Streamkeeper was recently awarded a bronze in the Enterprise Product of the Year – Security Software category of the 2022 Best in Biz Awards…
5 Misconceptions of Root Detection

5 Misconceptions of Root Detection

Most mobile security architects and app development are aware of the dangers of running their apps on rooted devices (or Jailbroken in iOS terminology). At…
Towards a Proactive Threat Defense in Mobile Apps

Towards a Proactive Threat Defense in Mobile Apps

CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is a standard security measure to protect IT systems from bots and other…
Want to take a deep dive?

Connect with us