The $7.4M question: what a healthcare data breach actually costs

For the thirteenth consecutive year, healthcare is the most expensive industry for data breaches. IBM's 2025 Cost of a Data Breach Report puts the average healthcare breach at US$7.4 million, nearly double the cross-industry average of $4.45 million. That number has climbed every year since IBM started tracking it, and there is no sign the trend is reversing.

For developmental services agencies in Ontario, this is not an abstract statistic. These organizations hold exactly the kind of data that makes healthcare breaches so costly, and they often lack the security infrastructure that larger hospital systems have invested in.

Why healthcare breaches cost more

The $7.4 million figure is an average, and it includes direct costs (forensic investigation, legal fees, notification), indirect costs (lost business, reputational damage), and regulatory penalties. Several factors push healthcare breach costs above every other industry.

The data is uniquely sensitive. Healthcare records contain a combination of personal identifiers, medical histories, insurance information, and sometimes financial data. Unlike a stolen credit card number, which can be cancelled and reissued, a medical history cannot be changed. This makes healthcare data more valuable on black markets and more damaging when exposed.

Detection takes longer. IBM's data shows that healthcare organizations take an average of 231 days to identify a breach and another 92 days to contain it. That is nearly 11 months of exposure. The longer a breach goes undetected, the more data is compromised and the more expensive the cleanup.

Regulatory penalties are steep. Healthcare is one of the most heavily regulated industries. In the US, HIPAA violations can reach $1.5 million per category per year. In Canada, the penalties are evolving, and the direction is toward significantly higher fines under new legislation.

Operational disruption is severe. A breach at a healthcare organization does not just affect IT. It can disrupt care delivery, force manual workarounds for medication administration, and compromise the integrity of clinical records. For a DS agency, that could mean reverting to paper-based medication tracking while systems are restored, introducing exactly the kind of manual processes that lead to compliance gaps.

What data is at risk in DS agencies

Developmental services agencies hold a substantial amount of sensitive information, much of it required by Regulation 299/10 and other provincial frameworks. The data at risk includes:

Personal health information. Medical histories, diagnoses, medication records, allergy information, and physician notes. For people with developmental disabilities, this often includes detailed behavioral support plans and psychological assessments.

Individual support plans. These documents contain personal goals, living arrangements, family contacts, financial information, and detailed descriptions of the supports a person receives. They paint a comprehensive picture of a person's life.

Incident and occurrence reports. Serious occurrence reports filed with the Ministry include details about injuries, medication errors, allegations of abuse, and other sensitive events. A breach of this data could be deeply harmful to the individuals involved.

Staff records. Personnel files containing social insurance numbers, banking information for payroll, criminal record checks, and performance evaluations. A breach affecting staff data creates a second category of victims beyond the people receiving services.

PIPEDA penalties and the CPPA

Canada's privacy framework is in the process of a significant overhaul. The current legislation, PIPEDA, gives the Privacy Commissioner the power to investigate complaints and make recommendations, but enforcement has historically relied more on negotiation than penalties. That is changing.

The Consumer Privacy Protection Act (CPPA), which is working its way through Parliament as part of Bill C-27, would introduce administrative monetary penalties of up to C$10 million or 3% of global gross revenue, whichever is higher, for violations of the act. For the most serious offences, including knowingly failing to report a breach, the penalties jump to C$25 million or 5% of global gross revenue.

For a DS agency, C$25 million is an existential number. Even the lower tier of penalties would be devastating to an organization operating on provincial funding. The CPPA also introduces a private right of action, meaning individuals affected by a breach could sue the organization directly, separate from any regulatory penalty.

Ontario's PHIPA already imposes its own obligations for personal health information. Under PHIPA, health information custodians must notify the Information and Privacy Commissioner of Ontario of a breach, and individuals must be notified if the breach poses a risk of significant harm. The combination of federal and provincial obligations creates a layered compliance burden that agencies need to take seriously.

What agencies can do now

The good news is that the most effective risk reduction strategies are also the most straightforward.

Minimize the data you expose. Every third-party service that touches your data is a potential breach surface. Review which vendors have access to personal health information and whether that access is necessary. If a cloud AI tool requires sending resident data to a US server, that is a risk you can eliminate by switching to a self-hosted alternative.

Keep data in Canada. Data residency is not just a regulatory checkbox. It reduces your exposure to foreign legal orders, limits the number of jurisdictions whose privacy laws you need to comply with, and simplifies breach response. If a breach occurs and all data is within Canadian borders, you are dealing with one regulatory framework, not two or three.

Encrypt at rest and in transit. This should be table stakes, but many agencies still store data on systems without full-disk encryption or transmit information over unencrypted connections. If encrypted data is breached, the notification obligations may be reduced because the data is not readily accessible.

Reduce detection time. The 231-day average detection time in healthcare is a scandal. Implement logging, set up alerts for unusual access patterns, and conduct regular access reviews. Many breaches are detected not by the organization but by a third party, often law enforcement, which means the organization loses control of the narrative.

Train staff on phishing and social engineering. IBM's report consistently identifies compromised credentials as the most common initial attack vector. Training that teaches staff to recognize phishing emails, verify unusual requests, and report suspicious activity is one of the highest-ROI security investments an agency can make.

Data residency as risk mitigation

The shift toward Canadian-hosted infrastructure is not just about compliance. It is about reducing the blast radius of a potential breach. When your data, your AI models, and your application infrastructure all run within Canada, on servers you control or that a Canadian provider manages under Canadian law, you eliminate an entire category of risk.

No cross-border data transfers means no US CLOUD Act exposure. No third-party API calls means no vendor-side breaches affecting your data. No shared cloud tenancy means no lateral movement from a compromised neighbor.

At Merakey, every product we build runs on 100% Canadian infrastructure. Meridian scans compliance data without it ever leaving your network. Sentinel runs AI models locally with no external API calls. The architecture is designed so that the question of "where is my data?" always has the same answer: right where you put it, in Canada, under your control.