Sources and disclaimers

Every number, and where it came from.

We publish figures about HIPAA enforcement, breach costs, and how patients search. Here is each one, what it actually measures, and how far we are willing to push it. If a number on this site is not on this page, tell us and we will fix that.

VerifiedFigures re-checked: July 12, 2026Next re-check: January 2027

Re-checked against the live sources on July 12, 2026, and we changed two of them

We opened every source. Two numbers did not survive it, so we fixed them rather than leave them up:

  • We had said “47,000 investigations opened.” The OCR does not publish that. It publishes investigations completed, and the real figure is 46,752, a number we derive by adding two of its line items. We show the arithmetic below rather than quote a total nobody published.
  • We had said 51% of healthcare searches return an AI answer, “twice any other industry.” It is twice the average across industries, and the highest of any single one. Those are different claims. Ours was the bigger one, and it was wrong.

Cumulative enforcement counts rise. Breach costs are restated yearly. AI-search percentages move fastest of all. So this page carries the date it was checked, and the date it gets checked again. A figure with no date on it is a figure nobody is accountable for.

How we cite

Four rules, and we hold ourselves to them:

  • Name the source and the year. A statistic without a publisher and a date is a rumor.
  • Say what it measures. A referral is not a conviction. An investigation is not a finding. An average is not a forecast.
  • Do not round in our own favor. The numbers are sobering enough as published.
  • Mark what is stale. If we have not re-checked it, the page says so, in the open, like it does today.

HIPAA enforcement figures

These three run on the homepage under HIPAA enforcement isn’t theoretical. They are cumulative totals from the HHS Office for Civil Rights, the agency that actually enforces HIPAA. They are large because they cover two decades, and we present them that way rather than implying they happened last quarter.

  1. 374,000+

    complaints filed with the OCR

    Source
    HHS Office for Civil Rights, HIPAA enforcement data hhs.gov enforcement highlights
    Measures
    Cumulative HIPAA complaints received by the OCR since the Privacy Rule compliance date in 2003. OCR currently publishes 374,321. Not an annual figure, and not a count of violations found: OCR determined that 255,953 of them did not present an eligible case for enforcement.
    Verified
    Verified July 12, 2026
  2. 46,000+

    investigations completed

    Source
    HHS Office for Civil Rights, HIPAA enforcement data hhs.gov enforcement highlights
    Measures
    Investigations the OCR has COMPLETED, not opened. Derived by adding the two categories OCR publishes: 31,191 cases resolved by requiring changes in privacy practices or corrective action, plus 15,561 in which the investigation found no violation. 31,191 + 15,561 = 46,752. An investigation is not a finding of fault, and a third of the completed ones found nothing. We show the arithmetic because we derived the number rather than quoting it.
    Verified
    Verified July 12, 2026
  3. 2,419

    criminal referrals to the DOJ

    Source
    HHS Office for Civil Rights, HIPAA enforcement data hhs.gov enforcement highlights
    Measures
    Cumulative count of cases the OCR referred to the Department of Justice for criminal investigation. These are referrals, not charges, and not convictions. We say so wherever we show the number.
    Verified
    Verified July 12, 2026

The disclaimer we carry with these figures

Complaint, investigation, and DOJ criminal-referral figures are cumulative, per HHS Office for Civil Rights (OCR) HIPAA enforcement data. DOJ figures reflect cases referred for criminal investigation, not convictions. Average breach cost per the IBM Cost of a Data Breach Report 2025.

The cost of a breach

The capstone figure on the homepage, and the one people misquote most. It is an industry average from an annual study, not the bill a single practice should expect.

  1. $7.42M

    average healthcare breach

    Source
    IBM Cost of a Data Breach Report 2025 ibm.com/reports/data-breach
    Measures
    Average total cost of a data breach in the healthcare industry, per the 2025 edition of the annual IBM and Ponemon study. Healthcare has carried the highest average of any industry in the report for fourteen consecutive years. It is an average across breaches of very different sizes, so it is a scale marker, not a prediction of what any one incident would cost a practice.
    Verified
    Verified July 12, 2026

The sentence we run alongside it, verbatim from our copy: And the fine is the cheap part. The average healthcare data breach now costs $7.42 million, the highest of any industry for fourteen years running.

The claims we make about ourselves

Three numbers on this site come from us, not from a third party. They are worth flagging as such, because a citation page that only cites other people is doing half the job.

  • 20+, years in business.
  • 0, client complaints or HIPAA notices.
  • $1B+, in client revenue engineered.

These are our own records, attested by the firm. They are not audited by a third party and there is no external register we can point you at. The “0” in particular is a claim you are asked to take on our word, and we would rather say that than dress it up. If you are evaluating us, ask us for references and we will give you real ones.

“Hosting on its own commonly runs $250 or more a month”

This one is checkable, so we checked it. Here are the entry plans of the three biggest HIPAA hosting providers, taken from their own published pricing pages on July 12, 2026. List prices, not quotes.

  • Liquid Web, $229/mo. Dedicated HIPAA server, Linux. $271/mo for Windows. liquidweb.com
  • HIPAA Vault, $339/mo. HIPAA Linux Starter; $309/mo on a one-year contract. Rises to $1,799/mo for high availability. No shared tier is offered at all. hipaavault.com
  • Atlantic.Net, $552.31/mo. HIPAA Developer, Linux managed cloud server. Rises to $973.27/mo with disaster recovery. atlantic.net

The average entry plan across those three is $373 a month. Our “$250 or more” is a floor, and it sits about a third below that average. We would rather understate this than inflate it.

The number that matters: the Shield costs less than hosting alone

The Compliance Shield is $350 a month, hosting included. The average of those three entry plans is $373 a month for the hosting by itself, before anyone patches a dependency, watches a certificate, scans a deploy, or signs a Business Associate Agreement for the web layer.

And the caveat, because a floor you can undercut is a floor nobody trusts again: Liquid Web’s Linux entry plan is $229, which is below our $250. Two of the three are above it, and the average is far above it, so the claim holds. But you will find that $229 if you look, and we would rather you found it here first.

We name competitors on purpose. A number you cannot check is not evidence, and “trust us, hosting is expensive” is exactly the sort of unsourced claim this page exists to refuse.

On our own pricing: the figures on this site are directional. They tell you the order of magnitude before you call. They are not a quote, and the number in a signed proposal is the only number that binds either of us. See our terms.

Legal notice

The standing notice we carry across the site, in full:

Failsafe Digital, legal notice

Compliance claims and the enforcement figures cited here require final fact-verification and healthcare-attorney review before publication. Pricing is directional. Failsafe Digital is a web-compliance studio, not a law firm; nothing here is legal advice.

Found an error, or a figure we have let go stale? Email hello@failsafedigital.com. We will check it, and if we are wrong we will change it and say so on this page.

Start here

Numbers are the background. Your site is the question.

None of the figures on this page tell you whether your own contact form is leaking. That takes a look at your site. We do that part free, and we write down what we find.

Free · public information only · no access to your systems