Sources and disclaimers
Every number, and where it came from.
We publish figures about HIPAA enforcement, breach costs, and how patients search. Here is each one, what it actually measures, and how far we are willing to push it. If a number on this site is not on this page, tell us and we will fix that.
Re-checked against the live sources on July 12, 2026, and we changed two of them
We opened every source. Two numbers did not survive it, so we fixed them rather than leave them up:
- We had said “47,000 investigations opened.” The OCR does not publish that. It publishes investigations completed, and the real figure is 46,752, a number we derive by adding two of its line items. We show the arithmetic below rather than quote a total nobody published.
- We had said 51% of healthcare searches return an AI answer, “twice any other industry.” It is twice the average across industries, and the highest of any single one. Those are different claims. Ours was the bigger one, and it was wrong.
Cumulative enforcement counts rise. Breach costs are restated yearly. AI-search percentages move fastest of all. So this page carries the date it was checked, and the date it gets checked again. A figure with no date on it is a figure nobody is accountable for.
How we cite
Four rules, and we hold ourselves to them:
- Name the source and the year. A statistic without a publisher and a date is a rumor.
- Say what it measures. A referral is not a conviction. An investigation is not a finding. An average is not a forecast.
- Do not round in our own favor. The numbers are sobering enough as published.
- Mark what is stale. If we have not re-checked it, the page says so, in the open, like it does today.
HIPAA enforcement figures
These three run on the homepage under “HIPAA enforcement isn’t theoretical.” They are cumulative totals from the HHS Office for Civil Rights, the agency that actually enforces HIPAA. They are large because they cover two decades, and we present them that way rather than implying they happened last quarter.
- 374,000+
complaints filed with the OCR
- 46,000+
investigations completed
- 2,419
criminal referrals to the DOJ
The disclaimer we carry with these figures
Complaint, investigation, and DOJ criminal-referral figures are cumulative, per HHS Office for Civil Rights (OCR) HIPAA enforcement data. DOJ figures reflect cases referred for criminal investigation, not convictions. Average breach cost per the IBM Cost of a Data Breach Report 2025.
The cost of a breach
The capstone figure on the homepage, and the one people misquote most. It is an industry average from an annual study, not the bill a single practice should expect.
- $7.42M
average healthcare breach
The sentence we run alongside it, verbatim from our copy: “And the fine is the cheap part. The average healthcare data breach now costs $7.42 million, the highest of any industry for fourteen years running.”
AI search and how patients find you
These support our visibility work: the claim that healthcare searches now overwhelmingly return an AI-generated answer, and that being the source the AI can read is worth engineering for. This is the fastest-moving data on the site, which is exactly why it is dated.
- ~100%
of treatment and procedure searches now return an AI answer
- 93%
of symptoms and conditions searches
- 51%
of all healthcare searches, the highest of any industry
Source, as cited on the site
WebFX, 130,070 health queries (2025); BrightEdge Generative Parser, December 2025 snapshot. Verified 2026-07-12.
Note on links: every source above is a pinned deep link to the specific study, not a publisher home page. The two BrightEdge figures come from one December 2025 snapshot; the WebFX figure is a study of 130,070 health queries. Named, dated, clickable. A citation you cannot follow is not a citation.
This is also the fastest-moving data we publish. BrightEdge had the symptom figure at 57% in December 2023 and 93% two years later. Treat the direction as the finding and the level as perishable, and check the date at the top of this page before you quote us.
The claims we make about ourselves
Three numbers on this site come from us, not from a third party. They are worth flagging as such, because a citation page that only cites other people is doing half the job.
- 20+, years in business.
- 0, client complaints or HIPAA notices.
- $1B+, in client revenue engineered.
These are our own records, attested by the firm. They are not audited by a third party and there is no external register we can point you at. The “0” in particular is a claim you are asked to take on our word, and we would rather say that than dress it up. If you are evaluating us, ask us for references and we will give you real ones.
“Hosting on its own commonly runs $250 or more a month”
This one is checkable, so we checked it. Here are the entry plans of the three biggest HIPAA hosting providers, taken from their own published pricing pages on July 12, 2026. List prices, not quotes.
- Liquid Web, $229/mo. Dedicated HIPAA server, Linux. $271/mo for Windows. liquidweb.com
- HIPAA Vault, $339/mo. HIPAA Linux Starter; $309/mo on a one-year contract. Rises to $1,799/mo for high availability. No shared tier is offered at all. hipaavault.com
- Atlantic.Net, $552.31/mo. HIPAA Developer, Linux managed cloud server. Rises to $973.27/mo with disaster recovery. atlantic.net
The average entry plan across those three is $373 a month. Our “$250 or more” is a floor, and it sits about a third below that average. We would rather understate this than inflate it.
The number that matters: the Shield costs less than hosting alone
The Compliance Shield is $350 a month, hosting included. The average of those three entry plans is $373 a month for the hosting by itself, before anyone patches a dependency, watches a certificate, scans a deploy, or signs a Business Associate Agreement for the web layer.
And the caveat, because a floor you can undercut is a floor nobody trusts again: Liquid Web’s Linux entry plan is $229, which is below our $250. Two of the three are above it, and the average is far above it, so the claim holds. But you will find that $229 if you look, and we would rather you found it here first.
We name competitors on purpose. A number you cannot check is not evidence, and “trust us, hosting is expensive” is exactly the sort of unsourced claim this page exists to refuse.
On our own pricing: the figures on this site are directional. They tell you the order of magnitude before you call. They are not a quote, and the number in a signed proposal is the only number that binds either of us. See our terms.
Legal notice
The standing notice we carry across the site, in full:
Failsafe Digital, legal notice
Compliance claims and the enforcement figures cited here require final fact-verification and healthcare-attorney review before publication. Pricing is directional. Failsafe Digital is a web-compliance studio, not a law firm; nothing here is legal advice.
Found an error, or a figure we have let go stale? Email hello@failsafedigital.com. We will check it, and if we are wrong we will change it and say so on this page.
Start here
Numbers are the background. Your site is the question.
None of the figures on this page tell you whether your own contact form is leaking. That takes a look at your site. We do that part free, and we write down what we find.