Beyond malpractice policies: What every physician should know about cyber insurance

A physician orders $100,000 worth of new equipment for a clinic build-out. The office receives the invoice via email and sends the wire transfer through. Weeks later, the vendor insists they never received the payment. Turns out, the money is gone, rerouted to a hacker’s account. Now, the physician is left with an empty office — and $100,000 less in the bank.

Stories like this are increasingly common in health care, where cybercriminals exploit busy practices that lack the time and resources to scrutinize every transaction. According to the U.S. Department of Health and Human Services Office of Civil Rights, since 2020, more than 500 million individuals — more than the U.S population — have had their health care records stolen or compromised at least once. Along with privacy concerns, these breaches carry an average cost of $9.77 million.

Large health care entities report cyber insurance adoption rates of approximately 95%, and for good reason: Health care as an industry group was the most breached in 2024, accounting for 23% of all data breaches — overtaking even financial services. Smaller practices, meanwhile, continue to lag in coverage despite facing the same threats. They often retain the risk of cyberattacks or have limited coverage through a malpractice or business insurance policy. These cyber endorsements often cap coverage at $10,000 or $50,000 and exclude important risks most likely to affect a practice, such as the social engineering fraud outlined in the example above. A lack of understanding of the risks and the coverage they currently have can mean a rude awakening in the wake of a cyberattack, with thousands, if not millions, of dollars in uncovered losses.

By contrast, a stand-alone cyber policy offers dedicated protection and immediate access to professionals who can help contain the damage. Think of it this way: an add-on endorsement to a package policy is like having a fire extinguisher on hand when there is a fire. It’s better than nothing and may help deal with a small mishap. A stand-alone policy, on the other hand, is like having access to a fire department, with all the tools, expertise and support required to stop the damage and get your practice back up and running.

What does a stand-alone cyber policy include?

The right stand-alone policy is not only broader but also more accessible than many physicians realize. Coverage that was once expensive and difficult to obtain is now more widely available, making it an attainable safeguard for practices of every size, especially when compared with the potential for high-value losses from cyberattacks.

Key features to consider:

• Comprehensive first-party protection: A stand-alone policy covers first-party costs associated with a cyberattack, including ransomware payments (where possible), forensic investigation, breach response services (legal, regulatory, and public relations), business interruption costs, system restoration and data recovery. The goal is simple: Deliver the resources to get back online and return to treating patients as fast as possible after an attack.
• Robust third-party liability coverage: Practices also need protection when regulators, patients or vendors claim that data weren’t properly safeguarded. The 2024 Change Healthcare breach showed that even when a vendor is hacked, practices still bear HIPAA notification and compliance obligations. Stand-alone coverage that accounts for vendor-related breaches keeps practices from absorbing those liabilities alone.
• Meaningful limits that reflect real costs: Although lower limits are offered, a practical standard for stand-alone policies starts at $1 million of coverage, with dedicated sublimits of $250,000 or more for social engineering fraud and other forms of financial loss. These amounts reflect current realities: Health care ransomware attacks in 2024-2025 averaged $1.3 million to $2 million in losses, with some extortion demands reaching $4 million. The lower limits found in cyber endorsements — typically $10,000 to $50,000 — fall dramatically short when faced with actual breach costs that regularly exceed six figures, leaving practices to cover significant portions of the total cost themselves.
• Explicit protection for social engineering fraud: Social engineering fraud, invoice manipulation and fraudulent wire transfers, often resulting from a business email compromise, are among the most common causes of loss for medical practices. Some coverage may be available on a commercial crime policy — another coverage purchased less than it should be — and add-on endorsements rarely include it at all. A strong stand-alone policy should offer clear, adequate protection against these scams.

Prevention still matters

Cyber insurers expect physician practices to adopt baseline safeguards, and those that do can often secure better terms and premium pricing. More importantly, prevention reduces the chance of ever having to use the policy in the first place.

Key measures to implement include:

• Multifactor authentication (MFA): MFA is the single most effective safeguard against unauthorized access. It ensures that even if a password is stolen, hackers cannot log in without the second credential.
• Endpoint detection and response (EDR/XDR): Continuous monitoring tools use automation and AI to flag suspicious activity — like unusual logins or large data transfers — before it escalates into a breach.
• 3-2-1 data backups: Keeping three copies of data in two different places (including one offline) protects against ransomware and makes recovery possible without paying attackers.
• Employee training and awareness: Human error is the root cause of most breaches. Training staff to recognize phishing attempts, question unusual payment requests, and avoid weak passwords creates a frontline defense against attacks.

The bottom line

Cyberattacks are no longer a question of if but when. For physicians, the impact can extend far beyond regulatory fines, halting billing, exposing patient data, and, most importantly, damaging the trust that is central to patient care. Stand-alone cyber insurance provides the financial and professional resources to recover, but no two policies are the same.

Working with a broker who understands health care-specific risks ensures that coverage matches the realities of your practice, closes dangerous gaps left by add-ons, and keeps pace with an evolving threat landscape. With the right partner, you can protect both your patients and your practice from becoming the next headline.

J.P. Kennedy is a director in HUB Northeast’s Cyber and Technology team, with more than 25 years of experience in cyber, technology, professional and management liability.