HIPAA and PHI Breaches Are Costly to Taxpayers

Who Pays for PHI, HIPAA, and Cyber Attacks in 2025?


The U.S. healthcare system may feel broken to many taxpayers—rising premiums, higher deductibles, denials for medically necessary care, and consolidation that squeezes independent providers. But one thing that cannot afford to be broken is healthcare security. Every time a payment processor, EHR, or health plan suffers a cyber incident, the bill does not stop at the breached organization. The cost is pushed downstream to providers, payers, and ultimately, taxpayers and members.


This article reframes cyber risk in financial terms: who actually pays when PHI is exposed, systems go offline, and claims stop moving—and why software vendors and major health plans should carry far more of that burden than they do today.

The Financial Fallout of Healthcare Cyber Attacks

Direct Losses to Providers and Payers

In 2024 alone, providers absorbed an estimated $21.9 billion in losses tied to security failures at payers, payment processors, and EHR vendors. Since 2022, more than 50 major ransomware and technology attacks have frozen provider and payer operations for an average of 17–27 days at a time. During those outages, authorizations stall, claims cannot be submitted or paid, and cash flow dries up.



When revenue stops but payroll, rent, and malpractice premiums do not, providers are forced to cut hours, furlough staff, or close service lines. Payers, meanwhile, scramble to implement manual workarounds, fund emergency payments, and deal with late-payment interest, provider disputes, and regulatory scrutiny. None of those costs are “absorbed”—they are baked into future premium increases and provider rate negotiations.

  • How Providers Ultimately Pay

    Providers lose revenue the moment claims stop moving. With thin margins, even a 10-day outage can collapse cash flow, forcing practices to secure high-interest credit lines, downsize staff, delay payroll, pause elective procedures, and reduce clinic hours. Hospitals face even larger exposure—millions in daily charges they cannot collect on. Providers bear the financial shock immediately, long before insurers or regulators step in, creating long-term instability in access, staffing, and service line availability.

  • How Patients and Members Ultimately Pay

    Patients experience the downstream cost of cyber failures through higher premiums, narrower networks, increased prior authorization scrutiny, slower claim processing, and heightened medical debt risk. When providers downsize or close locations, members face longer wait times and reduced access to specialists. Financially, every breach increases operational costs that get redistributed into deductibles, copays, and out-of-pocket limits. Members pay both directly—and indirectly—through reduced quality and availability of care.

  • How Taxpayers Ultimately Pay

    When Medicare, Medicaid, VA systems, and safety-net hospitals are impacted, cyberattacks become public spending events. Taxpayers fund emergency stabilization payments, supplemental appropriations, fraud investigations, system rebuilds, and higher reimbursement rates designed to keep essential providers solvent. Public programs also shoulder the long-tail cost of identity theft, credit repair, and benefit fraud triggered by PHI exposure. What begins as a private-sector breach often ends as a taxpayer-funded recovery effort.

  • How Payers Ultimately Pay

    Even when a breach occurs upstream—at a processor, EHR vendor, or large health plan—payer organizations inherit enormous downstream financial strain. They must fund manual workarounds, advance emergency payments, reprocess suspended claims, absorb provider disputes, and pay regulatory penalties or interest for delayed adjudication. These losses directly influence future premium filings, medical loss ratio pressure, benefit reductions, and member cost-sharing structures. In short, payers carry the operational burden and then must find ways to recover those costs in the next plan year.

healthcare breach

The Change Healthcare Breach: A Case Study in Systemic Risk


Before its high-profile cyberattack, Change Healthcare, a UnitedHealth Group subsidiary, processed roughly half of all U.S. claims. When their systems went down, 60–80% of dependent providers reported material financial impact: delayed payments, inability to file claims, and decisions to downsize or restrict access.


This was not a “provider IT failure.” It was a single vendor failure that cascaded through thousands of hospitals, practices, and health plans. Yet the cost was socialized—providers and payers carried the losses, and taxpayers will feel the impact through higher public program spending.

Targeted Auditing gets Faster Results, not Stripping Providers of Legal Profits


In response to headline breaches, federal agencies have focused heavily on new requirements for hospitals and providers—such as encrypting every message, upgrading systems, expanding monitoring, and hardening endpoints. These safeguards are essential, but they come with a price tag estimated at $6–$9 billion per year for implementation and ongoing operations.


Many organizations invest in competencies across staffing, clinical technology, and member-facing services. Worse, it assumes that small and mid-size providers are the primary attack targets, when in reality attackers typically go where the data and ransom potential are most significant: national plans, claims hubs, and widely deployed software platforms.

  • Why This Approach Overburdens the Front Line

    Healthcare delivery organizations are already dealing with staffing shortages, rising supply costs, and complex reimbursement rules. Requiring them to shoulder enterprise-grade security responsibilities that should sit with payment processors, health plans, and software vendors shifts the cost to the least capitalized players and, ultimately, to patients and taxpayers.

PHI Breaches Are Growing—and So Are the Bills


The number and scale of PHI breaches continue to climb:


  • Overall healthcare data breaches increased again in 2023.
  • Thirteen separate incidents in 2024 each exposed over 1 million records, totaling more than 146 million PHI disclosures.
  • Individual events—from the Medusind breach (360,000 affected) to MOVEit vulnerabilities tied to Medicare data—illustrate how quickly a single vendor issue can impact hundreds of thousands of patients.


Every record exposed carries downstream cost: notification, credit monitoring, legal exposure, regulatory fines, and loss of trust. Those costs are priced into future contracts, premiums, and public spending.

  • Tax Exposure is Real

    When Medicare, Medicaid, or government-funded plans are involved, breach response is not just a corporate line item—it is a public expense. Tax dollars pay for investigations, remediation, and in some cases, higher reimbursement to stabilize struggling providers after major incidents.

healthcare cybersecurity

What Healthcare Software Should Do by Default

Intelligent PHI Guardrails Built Into the Platform


The core problem is not that clinicians share too much information; it is that many platforms do too little to manage that information safely. For utilization review and claims, providers should be able to include robust clinical detail so payers can make accurate medical necessity decisions. The platform should control PHI exposure—not the bedside nurse or front-desk staff.


At a minimum, EMRs, EHRs, billing platforms, and payment processors should automatically evaluate:


  • Who is sending the data (user identity and role)
  • Which organization and domain do they represent
  • Who is receiving the data and what their permissions are
  • Whether the payload exceeds what each party is allowed to see

  • Built-In Decisioning, Not Manual Guesswork

    A modern system should be able to:


    • Encrypt messages automatically where required
    • Mask or omit PHI for parties without a need to know
    • Block transmissions that violate HIPAA or contractual rules.

    These controls should be vendor responsibilities, not manual checklists imposed on overworked clinical teams.

Secure Transfer Is Table Stakes, Not a Differentiator

Secure file transfer (SFTP over SSH) and strong encryption are not “premium features”—they are the bare minimum. Properly configured SFTP ensures both sides of a connection are authenticated and that in-flight data cannot be read or altered. Yet history has shown that misconfigured or poorly managed transfer processes can still create vulnerabilities.

  • What Payers Should Be Asking Vendors

    How are code sets, edits, and configuration files updated—SFTP, APIs, or ad-hoc methods?


    Who can access those transfers, and how are keys and credentials managed?


    Can you prove you never store PHI, or that storage is segregated and encrypted with strict access controls?


    If a vendor cannot answer these questions clearly, the operational and reputational risk will ultimately land on the payer and its members.

PCG security as a case study for security

Virtual Examiner is installed on the payer’s own infrastructure and linked to the adjudication system. It audits today’s claims against up to three years of history at the episode-of-care level, looking for overpayments, coding errors, and potential fraud, waste, and abuse. VE does not need to know who the patient or provider is—only member IDs and billing identifiers.



Claims flagged by VE are quarantined for human review, and access to those findings is controlled entirely by the payer. Reports do not contain patient or provider names. Code updates that keep VE aligned with current CMS, AMA, and Medicaid rules are delivered via secure SFTP, without transmitting PHI.

  • Where the Liability Properly Sits

    PCG provides the audit engine and code intelligence; the payer retains ownership and responsibility for its own infrastructure, data, and access controls. PCG never stores or processes PHI in its own environment, and in more than 30 years of operations, PCG has never had a HIPAA violation or security breach on record.

  • Real-Time Claims Auditing with 2 Software vendors

    VEWS™ brings the same audit logic to provider-side billing systems. It integrates with an EMR, EHR, or billing platform to flag incorrect codes, missing modifiers, and policy conflicts before a claim is submitted. VEWS looks only at codes and claim attributes—it does not see, store, or transmit patient or provider identities.


    This structure places HIPAA responsibility where it belongs: on the billing platform that originates the claim and the payment processor that sends it to the payer, not on the audit engine that simply evaluates code logic.

  • Provider auditing without PHI

    iVECoder® allows coders and billing staff to test scenarios through a secure online portal. Users enter age, sex, and claim details to see how Medicare and Medicaid guidelines evaluate a proposed claim. The system does not accept or store names or other direct identifiers, ensuring that code education and scenario testing never introduce new PHI risk.

Ready to Strengthen HIPAA Compliance and Save Money?

PCG Software helps payers reduce overpayments, fraud, and waste through Virtual Examiner® and supports hospitals and clinics with pre-submission auditing through VEWS™ and iVECoder®. All three solutions are designed to minimize PHI exposure while maximizing financial integrity.


If your organization wants to tighten HIPAA compliance, reduce cyber-related financial risk, and improve audit performance without shifting costs to front-line providers, we’d be happy to talk.

< Older Post

Newer Post >

Subscribe

Only get notifications when a new article has been published

Contact Us

About PCG

For over 30 years, PCG Software Inc. has been a leader in AI-powered medical coding solutions, helping Health Plans, MSOs, IPAs, TPAs, and Health Systems save millions annually by reducing costs, fraud, waste, abuse, and improving claims and compliance department efficiencies. Our innovative software solutions include Virtual Examiner® for Payers, VEWS™ for Payers and Billing Software integrations, and iVECoder® for clinics.

Click to share with others