Healthcare cyberattack losses above $200,000: what identity teams need to do

TL;DR: Healthcare organizations reporting losses above $200,000 nearly quadrupled from 5% to 19% year over year, while 48% experienced at least one incident and 31% saw compromised user or admin accounts, according to Netwrix's 2025 Cybersecurity Trends Report. The findings show that identity-first defence is no longer optional when AI-accelerated phishing and privilege abuse are driving faster, costlier attacks.

NHIMG editorial — based on content published by Netwrix: Resource center News Healthcare Cyberattack Losses Above $200,000 Nearly Quadruple in 12 Months, Netwrix Survey Finds

By the numbers:

• Nearly half, 48%, of healthcare organizations experienced at least one cybersecurity incident over the past year.
• Across all industries in 2025, only 13% reported losses above $200,000 and 6% above $500,000.
• 37%, e than a third, 37%, of IT and security professionals said AI-driven threats had already forced them to strengthen defenses.

Questions worth separating out

Q: What breaks when healthcare identity controls do not keep up with credential theft?

A: When identity controls lag behind credential theft, a single phishing event can become a privileged account compromise, then a broader data or operational incident.

Q: Why do compromised user and admin accounts increase healthcare breach costs so quickly?

A: Compromised user and admin accounts are expensive because they already sit close to sensitive records and operational systems.

Q: How do security teams know whether identity-first defence is working in healthcare?

A: Identity-first defence is working when compromised accounts are detected quickly, privileged actions are constrained, and revocation happens before the attacker can move from login to meaningful access.

Practitioner guidance

• Reduce the value of every credential after compromise Segment privileged access so a single user or admin account cannot reach patient data, infrastructure, and administrative tools at once.
• Shorten the lifetime of privileged usefulness Apply tighter joiner-mover-leaver handling, session controls, and just-in-time elevation so high-risk access exists for less time and is easier to revoke after an incident.
• Instrument account abuse as an incident trigger Alert on impossible travel, unusual privilege use, and admin activity from new devices or locations, then revoke access before the account is used to move into clinical or record systems.

What's in the full report

Netwrix's full report covers the operational detail this post intentionally leaves for the source:

• Breakdowns of survey methodology across 2,150 IT and security professionals in 121 countries.
• Industry-by-industry comparisons of incident and loss severity beyond the healthcare subset.
• The report's broader identity and AI threat findings that sit behind the healthcare figures.
• Additional survey results that help security leaders benchmark their own exposure against peers.

👉 Read Netwrix's 2025 Cybersecurity Trends Report findings on healthcare breach losses →

Healthcare cyberattack losses above $200,000: what identity teams need to do?

Explore further

View Full Forum →  |  NHI Foundation Course →