Healthcare cyber claims data tell a consistent and troubling story: cyberattack frequency surged dramatically in 2025, roughly a 90% increase from the prior year, while loss costs more than doubled. These increases can be attributed to both ransomware attacks and the near-automatic class action lawsuits that follow such incidents. In parallel, continued lawsuits tied to online tracking technologies are increasing risk.
Healthcare organizations are facing ransomware attacks that are costing between two and three times more than those against non-healthcare entities.
Ransomware attacks are happening more frequently and are causing more damage. Double extortion, where attackers not only encrypt a victim’s data but also steal and threaten to publish patient data unless a ransom is paid, has become standard. This type of attack can trigger nearly every part of a cyber policy: breach response, liability, business interruption, data recovery, and extortion payments.
The healthcare sector has consistently been featured among the top industries targeted by ransomware groups, and it’s not just direct attacks that threaten the industry. The February 2024 Change Healthcare attack disrupted 94% of US healthcare providers and impacted nearly half of the US population.
Several factors converge to make healthcare organizations prime targets for cybercriminals. Healthcare networks are uniquely complex and interconnected. Legacy systems, vendor-managed devices, complex and interconnected IT environments and limited cybersecurity resources expand the attack surface, making it one of the most challenging environments to secure. Also, when hospital systems are disabled, the consequences extend far beyond operational disruption. Patient care is delayed, safety is compromised, and the financial and human costs become intertwined.
This combination creates significant vulnerabilities that attackers are eager to exploit, especially given the value of healthcare data. A single medical record can sell for $50-$250 on the black market compared to just $1-$2 for a stolen credit card number, making healthcare data more lucrative.
One of the main vulnerabilities for healthcare organizations are their virtual private networks. Most think their SSL/VPN (Secure Sockets Layer/Virtual Private Network) system is secure, but in reality, 50–60% of ransomware incidents come from VPN accounts that didn’t have multi-factor authentication (MFA) properly enforced. Attackers now commonly break into networks through VPN login portals using automated password-guessing tools. This is often called brute-force. To defend against this, it’s critical to not only require strong and complex passwords and enforce the use of MFA on all accounts, but to also set up account lockouts after failed login attempts and block connections coming from anonymous or high-risk networks like public VPNs, proxies, or the onion router (TOR).
Regular software updates (patching) are still essential, but as seen in recent ransomware attacks like Akira’s campaign targeting SonicWall devices, even fully patched systems can be compromised if MFA and secure remote access aren’t enforced. Healthcare teams need to ensure remote access to patient data remains secure without sacrificing ease of access for staff.
The Legal Challenge
The legal aftermath of an attack is also quite challenging. When breaches must be disclosed under HIPAA and state privacy laws, it invites public scrutiny and rapid legal action. As a result, class actions often follow within days.
Meanwhile, litigation over website tracking tools has increased exposure for healthcare organizations, especially as some courts appreciate the sensitivity around personal medical data. One recent example was the use of Meta Pixel―a tool that helps analyze online traffic―in patient portals, not realizing the tool can share sensitive details with Meta, the social-media platform.
Although only about 200-300 of the roughly 3,000 cases filed* so far on website tracking involved healthcare providers, those few accounted for around two-thirds of the total settlement costs. Data from published class action cases show healthcare settlements averaging $5–6 million.
The Call to Action
Members of the Cooperative of American Physicians (CAP) are reminded of the value-added insurance benefits CAP provides as part of their membership, including CyberRisk liability coverage This cyberliability policy covers up to $50,000 and 5,000 patient notifications per covered claim should you experience a data breach in your practice. CAP members should note that their CyberRisk benefit includes a $2,500 deductible per covered claim.
While the built-in $50,000 limit provides essential baseline protection, modern cyber incidents frequently exceed that amount due to rising breach response costs, system restoration needs, and regulatory obligations.
Advantages of Securing Additional Coverage
- Expanded coverage beyond what is included in the built-in benefit for eligible CAP members
- Eligible CAP members may qualify for certain coverage or pricing advantages
- Access to apply for MEDEFENSE® Plus, which helps address expenses related to regulatory investigations and billing audits, with the option to include coverage for disciplinary proceedings―an increasingly important complement to cyber and professional liability protection
CyberRisk insurance is available for purchase at excellent rates through Symphony Health, a division of Symphony Risk Solutions. Contact Symphony Health at 213-576-8529 or via email at HealthCareServices@SymphonyRisk.com to learn more or request a free consultation.
*Das, Shanti. “NHS Data Breach: Trusts Shared Patient Details with Facebook without Consent.” The Guardian. 2023. https://www.theguardian.com/society/2023/may/27/nhs-data-breach-trusts-shared-patient-details-with-facebook-meta-without-consent