The cost of a data breach in Dutch healthcare

For more than a decade, healthcare has been the most expensive sector worldwide when it comes to data breaches. According to IBM, the average cost of a data breach in healthcare is by far the highest of any industry — and has been since 2010. The most recent figure is around $9.77 million per incident.¹

In the Benelux region, the average cost of a data breach is around €6 million according to the IBM Cost of a Data Breach Report 2025 — up from €5.45 million the previous year.²

For context: the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) found that a cyberattack costs an organisation €103,976 on average — but that is the average across all sectors, including smaller incidents.³ For larger attacks, such as ransomware against hospitals or laboratories, the cost runs quickly into the millions. For healthcare organisations specifically, that figure is structurally higher than this average. Healthcare organisations are the worst off; the cost of a data breach is roughly 60% higher than for organisations in other sectors.¹

How are those costs made up?

The costs fall into two broad categories:

Direct costs (~34% of the total)

• Forensic investigation and breach detection
• IT recovery and patching of vulnerabilities
• Legal counsel and external consultants
• Mandatory notification to the AP (within 72 hours) and to affected individuals
• Possible ransom payment in the case of ransomware

Indirect costs (~66% of the total — the largest share)

Indirect costs make up the lion’s share: lost revenue, a decline in customers/patients, brand damage and lost time. The “lost business” category — revenue lost to downtime and operational disruption — is on average the single largest contributor to total cost.

For healthcare specifically, additional cost drivers come into play:

• GDPR fines: Dutch hospital HagaZiekenhuis was fined €460,000 for inadequate protection of patient records (later reduced to €350,000 by the court).⁴
• Reputational damage and patients avoiding care: researchers have warned that patients avoiding care is a common reaction to privacy incidents in healthcare, leading to structural revenue loss.
• Follow-on phishing: after a breach involving medical data, victims are frequently targeted with tailored phishing, requiring additional crisis management.

On top of that, healthcare providers in heavily regulated sectors incur additional costs in the wake of a breach, such as fines and penalties, compliance with statutory requirements, and activities such as monitoring or reissuing accounts.

Why are those costs so high in healthcare?

Healthcare has been a popular target for hackers for so long partly because not all of the technology used by healthcare providers is up to date, while these organisations are particularly vulnerable to disruption because of patient safety.

Cybercriminals use medical records as leverage, putting extra pressure on affected organisations to pay a ransom.

Conclusion

A serious data breach in Dutch healthcare quickly costs several million euros, and the invisible costs (reputation, patients avoiding care, lengthy recovery efforts) far outweigh the direct IT costs.