Perrin, Alexander

276,000,000

Americans had their protected health information exposed in 2024.

81% of the country — more than every prior year combined. Attackers had a 93-day head start. What follows is independent research on breach economics, ePHI dark-market pricing, and the data behind the crisis.

Last reviewed April 2026 · Secure Care Research Institute · Chicago, IL

SSRN Working Paper

The Economics of ePHI Exposure — research paper cover

What a breach looks like

A cancer patient whose chemotherapy was delayed three weeks. A diabetic who rationed insulin for nine days. A rural clinic that closed permanently, leaving 4,000 patients without primary care. These aren't edge cases. They're the predictable output of a system where stolen health data is worth more than credit cards, and the average time between breach and notification is longer than a fiscal quarter.

“The 93-day gap between breach occurrence and victim notification is a 93-day window during which stolen medical identities are sold, synthetic accounts opened, fraud committed — all while responsible entities remain silent.”
— The Cyber-Economic Stack, §9.1 — SSRN 5792382

The research

Featured PaperSSRN #5257628 · v1.8 · Jan 2025

The Economics of ePHI Exposure

A Long-Term Impact Model of Healthcare Data Breaches

Constructs a 10-year cumulative cost model across six domains: regulatory penalties, litigation, insurance shifts, patient attrition, remediation costs, and downstream fraud. Establishes that breach consequences compound — not conclude — after year one.

110-year cumulative breach cost exceeds year-one expenses by 300–500% for most providers

2A 5,000-record breach at a mid-sized clinic with weak security generates $4–6M in 10-year impact

370% of patients report willingness to switch providers post-breach; revenue erosion routinely exceeds direct costs

4Attacks on physician practices rose 6x between 2021–2022 (Critical Insight)

5Two documented small-practice closures directly attributed to ransomware in 2019

“This analysis reframes breaches not as isolated security failures, but as chronic financial liabilities with systemic implications. Small providers — who make up the backbone of American care delivery — are the least equipped to absorb this kind of long-tail risk.”
— The Economics of ePHI Exposure, §7 — SSRN 5257628

Read on SSRN →Open Breach Cost Calculator

Gated · Research Briefing

Watch: The Economics of ePHI Exposure

10-year breach cost model, key findings, and what they mean for independent practices.

Companion Paper · SSRN #5792382 · v2.6 · Jan 2025

The Cyber-Economic Stack

How AI Turns Healthcare Data Into a Financialized Attack Asset

Introduces a three-layer analytical framework linking dark-market economics, AI amplification, and transparency asymmetry. Three empirical indices — DMVI, AAF, and HTI — are unified in a Transparency-Adjusted Risk Function (TARF) that predicts systemic exploitability.

1PHI commands $280–310/record vs. $30–50 for credit cards — an 8–10x structural premium driven by immutability and multi-domain fraud utility

2AI Amplification Factor of 1.18–1.30 post-ChatGPT: voice fraud +70%, synthetic identity +27%, phishing +36% in fraud yield per record

3Healthcare HTI avg. of 23 vs. finance's 81 — a 3.5x transparency deficit creating a 93-day arbitrage window where data retains maximum liquidity

4Halving disclosure latency (93 → 46 days) projected to reduce sector-wide exploit ROI by 25–35% — equivalent to $8–12B in suppressed fraud losses annually

5TARF shows preliminary predictive validity: r = 0.61 with actual breach costs across n=18 litigation cases

“Attackers operate in transparent, liquid data markets with near-perfect price discovery. Defenders operate blind. The asymmetry isn’t an accident — it’s the architecture.”
— The Cyber-Economic Stack, §9.5 — SSRN 5792382

Read on SSRN →JEL D82, I18, L51 · Secure Care Research Institute, Chicago

AP

Alexander Perrin

Founder & CEO, Patient Protect · Secure Care Research Institute

SSRN Author Page LinkedIn

2 SSRN papers · 60+ sources · 1,423 breaches · 5-year dataset
100% independently funded · © 2026 SCRI / Patient Protect LLC

Read the paper

The Economics of ePHI Exposure

A Long-Term Impact Model of Healthcare Data Breaches · 39 pages · SSRN #5257628

Preview ends at page 8. The full paper is 39 pages.

Read full paper on SSRN →

The framework

The cornerstone failure isn't encryption — it's asymmetry.

Attackers operate in transparent, liquid markets with near-perfect price discovery. Defenders operate blind. The Cyber-Economic Stack models this gap through three empirical indices unified in a single exploitability score — TARF. The primary lever to reduce it: disclosure transparency.

TARF_t = (DMVI_t × AAF_t × R_t) / HTI_t

DMVI = Dark-market value indexAAF = AI amplification factorR = Reusability decay factorHTI = Healthcare transparency index

1

Dark-Market Value Index (DMVI)

Median price of stolen PHI in criminal markets. Unlike credit cards, PHI is immutable — SSNs, diagnoses, and birth dates cannot be revoked, creating permanent multi-domain fraud utility.

PHI: $280–310/record · Credit cards: $30–50 · PHI CAGR: +4.1%

2

AI Amplification Factor (AAF)

How generative AI increases attacker ROI per record. The ChatGPT release collapsed the skill barrier — voice cloning from 3-second samples, synthetic personas at scale, phishing that passes every test.

AAF: 1.18–1.30 · Voice fraud: 12% → 34% post-AI · +$38.60/record

3

Healthcare Transparency Index (HTI)

Scores disclosure quality across speed, richness, and cadence. HTI lives in the denominator of TARF — higher transparency compresses exploitability. Healthcare scores 23 vs. finance's 81.

Healthcare HTI: 23 · Finance: 81 · 3.5x deficit · r=−0.52 (p=0.003)

By the numbers

14 years

Consecutive years healthcare ranked #1 in breach costs

2.1×

Healthcare breach cost vs. financial services — the next highest sector

$280–310

Per-record dark-market price for stolen PHI — 8–10× credit cards

+475%

Voice-cloning fraud year-over-year increase (2024)

$1.5B

Cascading losses from the Change Healthcare breach (190M patients)

65–70%

Patients willing to switch providers after a data breach

93 days

Avg. time-to-detection in healthcare — vs. 4 days in finance

Built as a direct response to this evidence.

Patient Protect is security-first HIPAA compliance for the providers this research identifies as primary targets. Starting at $39/month.

Calculate my risk →Start free

From research to architecture

The Cyber-Economic Stack proved AI amplifies breach value by 18–30%. So we built an AI that defends against it.

PIPAA is an on-premises AI compliance copilot built directly from this research. It runs inside your infrastructure, touches zero PHI in the cloud, and operates under your BAA. The same technology weaponizing breaches is now the architecture defending against them.

Meet PIPAA →See all features

Research-informed architecture

Zero Trust architecture — every request authenticated regardless of origin
AES-256-GCM encryption — NIST-approved, same standard as classified systems
AppSensor intrusion detection — behavioral analysis stops threats before breach
On-premises AI — compliance copilot that never sends PHI to the cloud

Citing this research

Use the following citation formats for academic papers, media, or reports.

Paper 02 — The Cyber-Economic Stack

APA

Perrin, A. (2025). The cyber-economic stack: How AI turns healthcare data into a financialized attack asset. Secure Care Research Institute, Patient Protect LLC. https://papers.ssrn.com/abstract=5792382

Chicago

Perrin, Alexander. “The Cyber-Economic Stack: How AI Turns Healthcare Data Into a Financialized Attack Asset.” Working Paper. Chicago: Secure Care Research Institute, Patient Protect LLC, 2025. https://papers.ssrn.com/abstract=5792382.

Paper 01 — The Economics of ePHI Exposure

APA

Perrin, A. (2025). The economics of ePHI exposure: A long-term impact model of healthcare data breaches. Secure Care Research Institute, Patient Protect LLC. https://papers.ssrn.com/abstract=5257628

Chicago

Perrin, Alexander. “The Economics of ePHI Exposure: A Long-Term Impact Model of Healthcare Data Breaches.” Working Paper. Chicago: Secure Care Research Institute, Patient Protect LLC, 2025. https://papers.ssrn.com/abstract=5257628.

For press and media

“According to research by Alexander Perrin of the Secure Care Research Institute (Patient Protect LLC, 2025)…”

Frequently asked questions

What is the average cost of a healthcare data breach in 2024?

The average cost of a U.S. healthcare data breach in 2024 was $9.8 million — more than double the financial services sector and 2.5 times the cross-industry average. Healthcare has held the #1 position in breach costs for 14 consecutive years (IBM Security & Ponemon Institute, 2024).

How much is stolen medical data worth on the dark web?

A full-package PHI record — including SSN, date of birth, diagnosis codes, and insurance information — commands a median dark-market value of $280–$310 per record. That is 8 to 10 times the value of stolen credit card data, driven by PHI’s immutability and multi-domain fraud utility (Intel 471, Recorded Future, Flashpoint, 2024).

How long does it take healthcare organizations to detect a data breach?

Healthcare organizations take an average of 93 days to detect a breach, compared to 4 business days for mandatory disclosure in SEC-regulated finance. This 93-day window creates a sustained exploitation period where stolen data retains maximum dark-market liquidity and fraud utility (Ponemon Institute, 2024).

What percentage of Americans had their health data exposed in 2024?

Over 276 million Americans — approximately 81% of the U.S. population — had their protected health information exposed in data breaches in 2024. This represents a 64% increase from 2023’s previous record (HHS Office for Civil Rights Breach Portal, 2025).

What is the HIPAA breach notification requirement?

Under the HIPAA Breach Notification Rule, covered entities must notify affected individuals within 60 calendar days of discovering a breach of unsecured protected health information. Breaches affecting 500 or more individuals must also be reported to HHS OCR and prominent media outlets. Our research shows this 60-day window — combined with the 93-day average detection delay — creates a total exposure period far exceeding a fiscal quarter.

How does AI affect healthcare cybersecurity risk?

Our research quantifies an AI Amplification Factor (AAF) of 1.18–1.30 following the November 2022 ChatGPT release. AI has increased voice-cloning attacks on healthcare insurers by 475% year-over-year, boosted synthetic identity fraud by 27%, and improved phishing yield by 36% per compromised record — all while reducing the skill barrier for attackers to near-zero (Pindrop Security, 2025).

See all FAQs →

Get notified when new research publishes.

SSRN papers, breach analyses, and policy updates. No marketing. Just research.

No spam. Unsubscribe at any time. We never sell or share your email.