How much would a breach cost you?
Inputs: record count + states of operation + OCR culpability tier. Outputs: HHS civil monetary penalty, state AG exposure, class-action settlement risk, notification cost, and forensic/remediation spend — with the specific 45 CFR § section that drives each component.
Rough estimate for scoping purposes. Real outcomes depend on OCR culpability findings, whether notification obligations trigger, state AG cooperation, and the specifics of class-action consolidation. Use these numbers to frame the investment in proactive assessment, not as legal advice.
A single proactive assessment costs 0.183% of the estimated breach exposure above. The math is not close.
How the numbers are built.
HHS / OCR civil monetary penalty
Modeled against 45 CFR § 160.404 inflation-adjusted tiers (2024). Tier 2 (reasonable cause) baseline per-record violation is $30, scaling with culpability: Tier 3 ×2.5, Tier 4 ×5. Capped at the Tier 4 annual ceiling of $2,067,813 per violation type per calendar year per 45 CFR § 160.404(b)(2)(iv). This approximates the $4.3M average resolution for mid-size OCR breach settlements in 2024.
State AG penalty exposure
State-level enforcement multipliers applied to the HHS baseline. High-enforcement states (CA, NY, TX, MA, IL, WA) have multipliers of 0.35-0.55. Most states are 0.05-0.15. Aggregated across all selected states. Data derived from the National Association of Attorneys General 2023-24 healthcare enforcement report and public AG press releases.
Class-action settlement exposure
Healthcare breach class actions 2020-2024 settled at roughly $10-$85 per affected individual. Midpoint of $35 used. Only activated above a 5,000-individual threshold (the lower bound where class-action plaintiff firms typically file). Based on public settlement records and the Herrick Feinstein healthcare breach litigation tracker.
Individual notification cost
Ponemon / IBM 2024 Cost of a Data Breach Report — healthcare record notification all-in cost: $177 per record. This includes mail fulfillment, call center, credit monitoring (12 months standard), and legal review for notification letter text per 45 CFR § 164.404.
Forensic response & remediation
IR retainer, external forensic investigation, counsel, communications support, and remediation engineering. IBM 2024 healthcare average is $1.0M, which we apply as a floor. For larger breaches, additional $8 per record applied.
Important caveats
These are rough estimates for scoping purposes. Actual outcomes depend heavily on OCR’s culpability finding, whether the breach meets the 45 CFR § 164.402 definition, corrective action plan terms, state AG cooperation or independent action, and whether class actions consolidate or proceed separately. Use these numbers to frame proactive investment, not as legal advice.
Find the vulnerabilities before OCR does.
A HIPAA Security Risk Assessment starts at $15,000. The Annual HIPAA Pentest is $25,000. Both are dramatically less than the numbers above.
Schedule a scoping call