For twelve consecutive years, healthcare held the title of most-breached industry in the United States. In 2025, it lost that title — not because hospitals and clinics got safer, but because financial services got worse. The Identity Theft Resource Center tracked 739 data compromises in U.S. financial services last year, pushing healthcare into second place at 534 and marking the first time since 2018 that banking and insurance topped the annual count.
The three-year span from 2023 through 2025 tells a more interesting story than any single year. Total U.S. compromises climbed from 3,202 in 2023 to 3,152 in 2024 to 3,322 in 2025 — a 79% increase over five years, with 2025 setting a new record. But the composition underneath that flat-looking top line shifted substantially. Professional services doubled into the top tier. Manufacturing swapped financial motives for espionage. Third-party breach involvement jumped from roughly 15% to 30% in a single year. And the distinction between “which industry gets attacked” and “which industry pays the most” diverged sharply enough that any honest ranking now needs both axes.
This analysis draws on three years of data from the ITRC’s annual reports, Verizon’s Data Breach Investigations Report (DBIR) for 2023, 2024, and 2025, and IBM’s Cost of a Data Breach Report for the same span. Where those sources disagree — and they sometimes do, because they measure different things — the discrepancies are noted rather than smoothed over.
The Three-Year Ranking by Volume
The ITRC’s data compromise count is the cleanest single metric for “how often did this industry get breached in the United States.” It captures breaches, leaks, and accidental exposures across publicly reported incidents, which makes it broader than Verizon’s confirmed-breach methodology but more consistent year over year.
Three movements stand out. First, financial services stayed remarkably flat in absolute terms — 744, 737, 739 — while every other industry moved. What changed is who else was hitting their numbers. In 2023, healthcare reported 809 compromises, far ahead of finance. Healthcare’s count collapsed by roughly a third in 2024 and held there in 2025, driven in part by a crackdown on over-reporting of incidents that didn’t meet the ITRC’s tightened criteria and a shift in attacker focus toward static identifiers held by banks.
Second, professional services grew 55% over three years, from 308 to 478 compromises. The ITRC identified it as “the sector with the most significant growth in attacks” in 2025. Law firms, accounting practices, consultancies, and managed service providers hold concentrated client data and increasingly serve as the soft entry point into harder targets. A single breach at a professional services firm cascades into client notifications across multiple industries.
Third, manufacturing’s 15% three-year rise understates the change in its breach profile. The Verizon 2025 DBIR flagged a “significant rise in espionage-motivated attacks” in the sector — a departure from the financially motivated pattern that defined manufacturing breaches historically. Manufacturing is no longer primarily a ransomware victim; it is increasingly an intellectual-property target for nation-state actors.
Cost vs. Count: Two Different Rankings
Volume and cost produce different leaderboards. Healthcare still tops IBM’s per-breach cost ranking for the 14th consecutive year at roughly $7.42 million per incident in 2025. Financial services came in second at $5.56 million. Manufacturing averaged around $5.00 million despite a lower compromise count than the top three.
Healthcare’s cost premium has persisted for 14 consecutive years for structural reasons: HIPAA penalties, the medical consequences of operational disruption, and the long tail of identity theft claims tied to medical records. The Ponemon Institute reports that over 93% of healthcare organizations experienced at least one cyberattack in 2024. Beyond the financial numbers, breach consequences at hospitals include delays in tests (56%), increased procedure complications (53%), longer patient stays (52%), and — the metric that changes how this sector should be discussed — higher mortality rates in 28% of attributed cases.
Financial services earns its second-place cost ranking through a combination of SEC four-business-day disclosure rules (effective since 2023), GLBA enforcement, state-level financial privacy requirements, and direct fraud losses. When Snowflake customers with missing MFA were targeted in April 2024, roughly 165 organizations across sectors had data exfiltrated — many of them financial institutions — and the downstream cost absorption is still working its way through the system.
Why Financial Services Overtook Healthcare
The 2025 DBIR attributes the shift to attacker targeting priorities rather than defensive improvements in healthcare. Threat actors have moved aggressively toward static identifiers — Social Security numbers, bank account numbers, driver’s license numbers — because these cannot be rotated the way credit card numbers can. Social Security numbers appeared in two-thirds of breach reports in 2025. One-third involved bank accounts or driver’s license numbers.
Financial services holds the densest concentration of these identifiers per breached record. A successful compromise at a credit union or regional bank yields data that supports identity fraud for years, not weeks. The ITRC’s James Lee summarized the shift: attackers have moved beyond simple identity theft into what ITRC terms a “State of More” — more attacks, more precise, more automated, harder to detect.
The regulatory pressure that comes with financial breaches also means more of them get publicly reported. Healthcare has HIPAA’s Office for Civil Rights reporting wall, which catches large incidents well but undercounts smaller ones. Financial services faces SEC Form 8-K disclosure requirements for material incidents, GLBA safeguards, state AG notification rules, and FTC Safeguards Rule obligations — a disclosure surface broad enough that relatively minor incidents surface in the public count.
A note on sectoral definitions: the ITRC’s “financial services” includes banks, credit unions, insurers, investment firms, and fintech. The 2024 TransUnion supply chain incident alone generated 4.4 million victim notices in Q3 2025 without the company’s credit information being exposed — the kind of large, single-event disclosure that now drives the category’s count as much as targeted direct attacks.
The Professional Services Surge
Professional services moved from a mid-tier category to the third-most-breached sector over three years. The mechanism is supply chain concentration. A law firm holds client data across every industry it serves. An accounting firm holds tax and financial records for hundreds of corporate clients. A managed service provider holds credentials to every customer environment.
The 2024 Snowflake campaign is the exemplar. Attackers identified customer tenants not enforcing MFA, built tooling to find them at scale, and exfiltrated data from roughly 165 organizations. No Snowflake vulnerability was exploited. The breach vector was customer misconfiguration layered on a shared platform — the precise structural risk that makes professional services and SaaS providers so valuable to attackers.
Where the Industry Rankings Disagree
Verizon’s DBIR and ITRC’s annual report produce different top-industry lists, and the difference is methodological rather than contradictory. The 2025 DBIR, analyzing 12,195 confirmed breaches across 139 countries between November 2023 and October 2024, places public administration at or near the top of incident counts — driven heavily by government reporting mandates that capture incidents other sectors suppress. Kroll’s investigation data from 2023 identified finance as the most-breached industry at 27% of its caseload. The ITRC, counting publicly reported U.S. compromises only, produces the finance-healthcare-professional services-manufacturing-education ranking above.
The three methodologies answer three different questions. The DBIR answers “what breach patterns exist globally across contributed caseloads.” The ITRC answers “how many U.S. organizations disclosed a compromise.” Kroll and similar firms answer “what does our investigative book of business look like.” Any analysis that treats one ranking as definitive is mis-reading its source.
What Changed in the Attack Mix, 2023 to 2025
The industries moved because the attack methods moved. Three shifts dominate the three-year window:
Ransomware share rose then changed form. Verizon’s 2024 DBIR reported ransomware in 23% of breaches; the 2025 DBIR puts it at 44%, a jump that includes pure extortion (non-encrypting) attacks now counted together with traditional ransomware. Within system intrusion breaches specifically, ransomware is present in 75%. SMBs absorb disproportionate impact: ransomware appears in 88% of SMB breaches versus 39% at enterprises. Median ransom payments dropped to $115,000 in 2025 from $150,000 the prior year, and 64% of victims now refuse to pay — up from 50% two years earlier.
Vulnerability exploitation surged 34% year-over-year and is now the second-most-common initial access vector at 20% of breaches, overtaking phishing (15%) and closing on stolen credentials (22%). The driver is edge devices — VPNs, firewalls, and internet-facing infrastructure. Verizon documented that the median time between public disclosure of a critical edge-device vulnerability and its mass exploitation was zero days in 2025. Patch windows have effectively closed for this class of product.
Espionage-motivated attacks rose in manufacturing and healthcare. This is a real departure. Financial motivation has historically driven the overwhelming majority of breaches across every sector. The 2025 DBIR’s explicit call-out of espionage as a growing motive in manufacturing — and its appearance in healthcare — reflects nation-state actors targeting industrial IP and clinical research data, not just criminal gangs seeking ransom payments.
Ransomware variants tracked by the FBI IC3 in 2025 concentrate in a handful of operations: Akira, Qilin, INC Ransom/Lynx/Sinobi, BianLian, and Play. The top 10 variants accounted for 56% of reported incidents and 49.8% of reported losses. Healthcare received the most ransomware complaints of any critical infrastructure sector, followed by critical manufacturing and government facilities.
The Transparency Problem
An underreported trend in the three-year window: breach notifications are becoming progressively less informative. In 2020, nearly 100% of breach notifications included the root cause. By 2023, that had fallen to 55%. In 2024, only 35% of notices specified how the attack occurred. In 2025, just 30% did — meaning 70% of breach notices give victims no information about the attack vector.
The ITRC attributes this to litigation risk management. A detailed breach notice describing a ransomware exfiltration posted to a dark web leak site is evidence in the class actions that now follow essentially every breach of notable size. A vague notice stating that “personal information may have been affected” satisfies statutory minimums while limiting discoverable detail. The result is a notification regime that technically functions but practically fails consumers and, critically, fails cross-industry learning.
This matters for any three-year industry analysis because the raw counts conceal an increasingly opaque picture of what actually happened inside each breach. Ranking industries by disclosed incidents tells you which sectors had to disclose — not necessarily which were most attacked, nor most compromised.
Frequently Asked Questions
Why does healthcare still lead in cost if it no longer leads in count? Healthcare’s per-breach cost reflects HIPAA penalties, operational disruption costs, and the long-tail value of medical records for fraud. Hospitals cannot easily degrade gracefully during an incident — surgical schedules, pharmacy systems, and diagnostic equipment depend on continuous IT availability. The Change Healthcare ransom payment of $22 million in 2024 is an outlier only in scale; the cost profile underneath it is standard for the sector.
Is financial services actually getting attacked more, or just reporting more? Both, but the balance has tipped toward more reporting. SEC 8-K disclosure requirements for material cybersecurity incidents took effect in December 2023 and expanded materially what banks and insurers must publicly acknowledge. Verizon’s caseload data shows financial services attack attempts have risen, but the gap between attacks experienced and breaches disclosed has narrowed faster than the attack rate itself.
How can professional services be third-most-breached when most people wouldn’t list it as a target? Because the attackers aren’t after the professional services firm — they’re after the firm’s clients. A law firm breach produces notifications across every industry represented in the client book. The ITRC’s category captures the firm where the breach originated, not the downstream victims, which is why the count grew even as the dollar value per firm stayed modest.
What’s the single biggest change for defenders between 2023 and 2025? The collapse of the patch window for edge devices. Any defensive strategy built on a “patch within 30 days” cadence for internet-facing infrastructure is now structurally inadequate. The median zero-day exploitation timeline on newly disclosed perimeter-device vulnerabilities means either virtual patching, network-layer mitigation, or accelerated patching pipelines are required for these assets specifically.
The Three-Year Verdict
If you came looking for a single most-breached industry, the honest answer for 2025 is financial services by count and healthcare by cost, with the rankings shifting fast enough that the 2026 picture may look different again. The more durable finding from three years of data is structural: breaches have concentrated toward industries that hold static identifiers, that sit in third-party positions serving multiple downstream clients, or that cannot tolerate operational disruption. Those three attributes explain most of the ranking movement from 2023 to 2025, and they are unlikely to reverse.
For security leaders, the implication is straightforward. The industries most breached today are the ones where attackers found the best ratio of data density to entry difficulty. Closing either side of that ratio — through identity-first architecture, third-party risk management, or segmentation that contains a compromise to a single tenant — shifts the economics more than any individual control. The data from the last three years suggests attackers are extremely sensitive to that ratio, and industries that change it see their breach counts change with it.
