Health care organizations are facing a surge in cyber threats. Data from 2025 reveal an increase in ransomware attacks — there were 211 reported incidents in the first half of the year — and more than 650 security incidents reported to date. As patient data becomes increasingly digitized, ransomware, third-party breaches, and accidental exposure continue to pose threats to both large systems and smaller practices. These trends underscore the urgent need for not only strong cybersecurity measures but also proactive risk management strategies, including financial and legal safeguards, to protect sensitive patient information.
During a recent Medical Economics Practice Academy presentation, experts from ISMIE Mutual and Beazley highlighted the impact of recent cyberattacks on health care organizations and discussed how specialized cyber liability coverage can help manage risk, ensure compliance, provide financial protection, and support rapid recovery from operational disruptions and financial losses caused by cyberattacks.
In the 1970s and 1980s, medical liability crises led to a surge in claims frequency and severity, driving many insurers out of the market. “Carriers that wrote the coverage decided to exit certain geographies — or even medical professional liability [MPL] altogether,” explained Brad Ash, chief underwriting officer and senior vice president of underwriting and sales at ISMIE Mutual Insurance Company. “That was a problem, especially in states that tie medical licensure to MPL.”
Even in states without such mandates, many physicians stopped practicing when they could not secure reliable coverage, resulting in widespread practice closures and significant access-to-care issues.
In response, ISMIE Mutual formed to provide a stable source of coverage and restore patient access to care. Today, ISMIE Mutual is the seventh-largest national MPL carrier, operating through five platforms: ISMIE Mutual, ISMIE Indemnity, ISMIE SPC, ISMIE Diversified Products and ISMIE UK.
“ISMIE was a pioneer in the space, in realizing that the increase of cyber risk, privacy risks and data exposure that physician malpractice or health care practices face is something that needs to be directly addressed,” commented Nick Spano, US product leader with Beazley.
In much the same way that ISMIE was founded to stabilize the MPL market decades ago, the company now recognizes that new and emerging risks—particularly cyber threats—require the same level of proactive attention.
Underscoring the cybersecurity threats facing health care organizations, Ash referenced the impact of a ransomware attack in 2024 on Change Healthcare, a UnitedHealth subsidiary that operates a major health claims clearinghouse. “This was the largest data breach of health and medical data in US history,” affecting an estimated 190 million individuals, said Ash. Although UnitedHealth paid a $22 million ransom, hackers still threatened to publish the data. Claims processing was severely disrupted for months, leaving many providers, especially smaller practices, without cash flow.
Ash also highlighted the Advocate Aurora Health breach, in which tracking pixels from Facebook (Meta) and Google inadvertently collected and shared patient information — such as appointment dates, procedure types and IP addresses — with third-party vendors. “Fortunately, neither Social Security numbers nor financial data were leaked or exposed,” said Ash. “But up to 3 million patients in Illinois and Wisconsin may have been affected.” Once the issue was identified, Advocate Aurora removed the pixels and notified patients and regulators. Ash credited this breach as “one of the first” to spark broader debate about privacy in today’s highly digitized health care environment.
In a third example, Ash discussed the impact of a ransomware attack on Lurie Children’s Hospital in Chicago. A ransomware group called Rhysida forced the hospital to shut down its network for several weeks, resulting in the theft of personal data for nearly 800,000 individuals. “The hospital did stay open, but many of their critical systems were offline for several weeks,” said Ash. “Full system restoration took months, and Lurie finally came completely back online in May 2024, approximately four months after the initial attack.”
Finally, Ash cited the 2025 Yale New Haven Health data security incident, in which an unauthorized third party accessed demographic information and medical record numbers. “Fortunately, at no point in this case did the breach affect patient care,” said Ash. Yale New Haven took appropriate measures, notifying patients and launching community outreach to report any discrepancies.
“Cybercriminals really have an affinity for health care organizations,” Ash warned. “Cybercriminals target the health care industry because sensitive patient data, including personal health information, medical records and financial details, are very valuable on the dark web.” Many providers, he explained, are using outdated technology and lack resources for robust cybersecurity. Interconnected systems, aging medical devices and limited staff awareness also contribute to the sector’s vulnerability.
SOLUTIONS AND TAKEAWAYS:
- Immediately report any suspected ransomware attack or security incident to your cyber insurance provider to swiftly access experts who can investigate the situation, analyze the virus and begin mitigation efforts.
- Implement full disk encryption on your computer systems. This provides robust protection by requiring a password upon boot-up, rendering the entire hard drive useless to hackers if the password is unknown.
- Conduct daily data backups and ensure the backup system is physically disconnected from the network (ideally encrypted and off-site) so that data recovery is a viable alternative to paying a ransom in the event of an attack.
- Establish business associate agreements and proper contractual obligations with all third-party vendors that handle patient health information, as the practice remains the legal custodian of that data even when it is stored externally.
- Educate all employees, including clerical staff, on cybersecurity threats through annual training. Human error accounts for a majority of cyber events, and staff focused on patient care may not be fully aware of the latest threats.
“The case studies [Ash] reviewed demonstrate the importance of cyber liability insurance,” said Jamie Donovan, senior underwriting specialist with ISMIE Mutual. While the previous examples focused on large targets, hackers “work in collectives and will cast a wide net, targeting groups of smaller practices as well.” Donovan commented that cyber liability insurance is essential for data protection, legal compliance, reputation management and financial security.
“Cyber [liability] insurance gives you access to the experts who are going to hold your hand, walk you through the process and get your practice back up to treating patients as quickly, efficiently and expertly as possible,” added Spano.
While federal laws like HIPAA and HITECH set baseline protections for patient data, many states — and even some localities — have their own privacy requirements, adding complexity that cyber liability insurers help providers navigate.
“Medical practices work every day to improve patient health and welfare and take great pride in the reputation they’ve built and the important contributions they make to communities,” said Donovan. “The last thing anyone wants is to see that hard-earned reputation damaged.”
In partnership with the Beazley syndicate, ISMIE has rolled out an enhanced version of its cyber liability coverage. Updates include clearer policy language, a new insuring agreement for reputational loss, and removal of the retroactive date, providing coverage for incidents discovered during the policy period.
“ISMIE policyholders are going to have access to meaningful coverage that helps them address one of the [fastest]-growing risks they face. The changes ISMIE has made allow policyholders to have peace of mind that this coverage will be available to them not only today, but for the foreseeable future,” Spano said.
He then illustrated ISMIE’s role in helping practices manage cybersecurity risks through a real-case scenario for which a third-party data breach left physicians legally responsible for patient data. ISMIE provided coverage, guidance and resources to manage the incident and support affected parties.
Spano also spoke in-depth about the threats of ransomware on organizations and emphasized immediate reporting to the insurer, which activates a “cyber fire department” of experts to analyze the virus, attempt data recovery and ensure compliance — including OFAC sanctions checks — before any ransom payment.
“Not only can making the ransomware payment delay access to the information, but sometimes, as [Ash] highlighted, [because of] the lack of honor among thieves, the ransomware payment itself may not actually solve the issue.” Educating employees is crucial, he added, as most cyber events stem from human error.
For health care providers, Spano concluded, a cyberattack is often a question of when, not if, making a strong partner like ISMIE essential.
Check out the full video and materials from this session.
