Healthcare organizations continue to find themselves at the forefront of cyber risk. Exposures such as IT supply chain dependencies, website tracking litigation, ransomware attacks, new security regulations, and data breach class actions put healthcare organizations of all sizes at high risk for cyber insurance claims. Understanding trends in cyberattacks as well as the evolving regulatory and litigation environment are critical to building resilience and maximizing insurance indemnification.
IT Supply Chain Dependencies
The February 2024 breach of a healthcare technology provider had a massive downstream effect on almost all touchpoints of the healthcare industry – hospitals, healthcare providers, pharmacies, drug companies, insurers, and patients. The attack demonstrated the risk of IT supply chain exposures in the healthcare industry segment, and the considerations that healthcare companies should have as they engage with IT vendors and consider dependencies in running their operations.
Website Tracking Litigation
Website tracking is the use of code, including pixels, cookies, or scripts, to capture data about how users interact with a website. Website tracking litigation is not a result of new regulations, but rather the plaintiffs’ bar use of existing laws that never considered today’s technology when they were enacted, such as 1967’s California Invasion of Privacy Act, 1968’s Federal Wiretap Act, and 1988’s Video Privacy Protection Act. These laws carry statutory penalties ranging from $250 to $10,000 per violation. Healthcare organizations tend to be a bigger target for website tracking litigation than other industries, likely due to the highly regulated data that they collect and hold.
Ransomware
Healthcare organizations remain a significant target for ransomware threat actors. According to Comparitech, there were 118 confirmed ransomware attacks and 147 unconfirmed ransomware attacks against the US healthcare sector in 2024, which resulted in an average of 18 days downtime. The healthcare industry tends to be targeted by ransomware threat actors given the large amounts of healthcare and financial data being processed, as well as the critical need for operational uptime to support patients. On average, US healthcare organizations lose $1.9 million per day due to downtime from ransomware attacks. While improved cybersecurity controls have resulted in fewer ransoms being paid, the disruption caused by ransomware attacks is significant.
New Security Regulations
In December 2024, HHS announced a proposed update to the HIPAA Security Rule that would require healthcare organizations to implement additional security controls, such as multifactor authentication (MFA), data encryption, vulnerability remediation, network segmentation, assets inventory, and proactive security testing. This proposed rule update has not yet been finalized and now falls under the purview of the new federal administration. Various states have required healthcare organizations to report breaches within a certain time period and improve cybersecurity controls.
Data Breach Class Actions
Data breaches continue to impact healthcare organizations. According to The HIPAA Journal, there were 13 data breaches in 2024 involving more than one million healthcare records. Eleven of these were a result of a cyberattack on the organization and eight involved an attack on business associates of HIPAA-regulated entities. In many cases, a ransomware attack serves as a basis for not only a disruption in services, but also a breach of HIPAA-regulated data, typically resulting in costly class-action litigation.
With such a challenging risk environment, how can healthcare organizations structure their cyber insurance to address the evolving claims environment? Insurance buyers should pay attention to the following:
- Are limits adequate for the risk exposure? Many healthcare organizations reduced limits during challenging cyber insurance market conditions from 2020 to 2022, while continuing to experience revenue growth. Only about half of those buyers increased limits when market conditions changed.
- What vendors are in scope for dependent/contingent business interruption coverage? Dependent/contingent business interruption coverage may include indemnification for net income loss and extra expenses associated with a disruption of a vendor on which the insured is dependent, due to a security breach or technology failure. Many policies require that a contract be in place with the vendor to provide this coverage, however coverage may be available or broadened to not require a contract.
- Is coverage available for claims related to website tracking and the associated collection of data? Many policies may exclude coverage for this “wrongful collection” peril or may limit coverage to defense costs only. Carriers have started underwriting for this exposure, and when controls are adequate, full limits may be available.
Having a broker with cyber insurance expertise and a consultative approach is key. The devil is in the details of cyber coverage, and it is critical that healthcare organizations partner with a broker that can provide data and analytics to identify the potential quantum of loss, understand the nuances of available coverages across the market, and advocate through the claims settlement process. The prognosis for healthcare organizations that take this into consideration is favorable, and those organizations will be better positioned to maximize the value of their cyber insurance policy.
Topics Cyber
Was this article valuable?
Here are more articles you may enjoy.
Markel Insurance Restructures Markel Specialty, Appoints Leaders 
Questions About How a Deputy’s Stepson Became the Accused Gunman at FSU Shooting 
USI Says Lockton, Former Team Leader Poached Workers, Harmed Client Relations 
3 Emerging Risks to Watch: 6G Wireless Technology, Autonomous Trucks, Kratom 
