25% off all training courses Offer ends July 30, 2026
View HIPAA Courses
25% off all training courses
View HIPAA Courses
Offer ends July 30, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Verizon Releases Inaugural Breach Impact Study

Verizon Business has released the findings from its inaugural Breach Impact Study, which focuses on the financial impact of data breaches. The BIS report is from the same authoring team as the Verizon Data Breach Investigations Report and was produced in partnership with CyberAcuView. The report is based on an analysis of around 70,000 U.S. cyber insurance claims, including 38,000 claims where the policies paid out. The data spans from January 2019 to October 2025.

In contrast to many data breach cost reports, the report is based on median claim amounts rather than averages, which are susceptible to skewing. In 2019, the median financial impact was around $60,000, rising by 80% to $110,000 in 2025, with data breach costs outpacing inflation, which was around 23% over the period of the study. More than half of paid-out claims exceeded $83,000, with 10% having an impact of $920,000 or more. The most extreme 2.5% of cases exceeded $5 million in losses.

The report shows that data breach costs almost doubled between 2019 and 2025, with business interruption the single largest loss driver, followed by loss to threat actor and response and recovery.

Known breach losses over time: 2019 to 2025

Known losses over time. Source: Verizon 2026 Breach Impact Study.

For software supply chain and third-party incidents, business interruption accounted for 50% of all losses. Software supply chain incidents and third-party breaches are relatively rare, accounting for around 2% of claims in the dataset, but when they occur, they can be catastrophic, with costs more than double the overall dataset. In the most extreme cases, losses exceeded $100 million.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The median impact was around $38,000 in the SMB segment, rising to $96,000 in the mid-market segment, and $238,000 for large enterprises, with the top 2.5% of large enterprise claims exceeding $22 million per claim. While breach costs were relatively low in the SMB segment, the ratio of impact amounts to insured revenue was as high as 3% in the top 10% of cases, and was 7% in the most extreme cases. Without an insurance policy, these incidents could have been extremely damaging. In the mid-market and large enterprise segments, the ratio did not go above 2% in the top 2.5% of extreme cases.

Healthcare had relatively high external liability costs compared to other sectors. The dataset included more than 8,640 claims with 5,100 recorded losses. Healthcare accounted for 23% of total losses, with a median liability loss 57% higher than the overall dataset.  Response and recovery accounted for 29% of total losses, followed by business interruption (24%) and external liability (23%).

Distribution of healthcare breach claim costs 2019-2026

Distribution of the economic impact of breaches in healthcare. Source: Verizon 2026 Breach Impact Study

The most common incident type in healthcare that prompted a claim was a ransomware attack (39%), which represented 60% of the total cost with a median cost of $77,051. Business email compromise (BEC) was involved in 22% of cases, accounting for 10% of the costs, with a median cost of $94,924.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist