When Cyber Risk Becomes a Critical Risk in Health Care

Rising ransomware attacks, third-party vulnerabilities and insurance exposure are transforming health care cyber security into an enterprise-wide resilience challenge.

By: Elisa Ludwig | February 20, 2026

Over the past decade, health care data breaches have shifted from isolated IT failures to systemic risk events with far-reaching financial, operational, and human consequences. We’ve learned that the true cost of these incidents extends beyond notification expenses or regulatory fines, and encompasses patient trust, care delivery, and insurer exposure across risk lines. As health care organizations grow more digitally connected, the need to protect sensitive data is no longer just a compliance exercise, but a critical component of resilience in a sector where disruption directly impacts lives.

According to Centrexit, 605 health care breaches were reported to the Department of Health and Human Services in 2025, with impacts touching 44.3 million Americans. Deepstrike estimates that the average cost of these incidents was $7.42 million, more than the global average. While major catastrophic data breaches ticked down, the number of incidents and their collective cost — as well as the rising severity of ransomware — continue to worry industry insiders.

The Current Cybersecurity Health Care Landscape

As cyber criminals have evolved their technologies and refined their attack vectors, they no longer (only) target the usual suspects.

“Victim organizations are not just the large multinational health care organizations anymore,” said John Farley, Managing Director, Cyber Practice, Gallagher. “In fact, we’re seeing small organizations with less than 100 employees getting hit. They don’t have the cybersecurity tools that larger, more resource-rich organizations have. While they’re an easier target for the hacker, their data is as valuable as a larger organization’s.”

Ryan Kratz, head of cyber insurance, MSIG USA

Farley noted that while smaller health care organizations have started to adapt to this reality, there’s still work to be done as small- and medium-sized businesses across the spectrum continue to lag in cyber coverage.

“From a health care perspective, cybersecurity isn’t optional,” Farley said. “It’s a shield that protects patients, providers and business partners from a digital disaster. When cyber criminals strike health care, the fallout is in every corner, from the emergency room to the boardroom.”

The scope and scale of recent breaches have also widened. While cyber attackers went after larger-scale companies in the past, they were typically seen as individual security lapses, or one-off failures. In today’s climate, these events are viewed as anything but isolated.

“Because of their sophistication and how interconnected health care systems and vendors and workflows are, we consider it enterprise risk,” said Liz Heddleston, health care attorney and principal at Woods Rogers. “It’s not just about your IT security, but also data governance, frontline employees, vendors, and really the whole gamut of the organization.”

At the same time, the escalation of ransomware and business email compromise incidents, including those perpetrated by criminal gangs and state actors, have upped the ante for enterprise-wide risk. Ransomware now routinely leads to double and triple extortion schemes with demands in the eight-figure range — and that may just be the beginning of the costs for a victimized organization.

“Cyber used to be considered a short-tail claims environment,” said Ryan Kratz, head of cyber insurance for MSIG USA. “That’s no longer true. You have that initial response of a ransomware event, with breach counsel and breach response costs, and then six months down the road, you might have class actions, which ultimately take around three years to resolve.”

Industry Weaknesses and Challenges

In recent years, growing awareness around cybersecurity, enhanced regulation, and routine employee training have chipped away at cyber risk in health care, but from an insurer’s perspective there are obvious weak spots, such as unpatched systems with known vulnerabilities, operational technology exposure through connected medical devices, and legacy systems.

Above all, human error — whether failing to recognize a funds transfer fraud scheme or enabling ransomware with a mistaken click on a malicious link — remains a key driver of cybersecurity vulnerability.

Third-party dependencies, which have only become more complex, pose a threat to insurers and insureds. In health care, third parties can include human resources, electronic health records platforms, billing, staffing agencies, medical device networks, and more.

Awareness and oversight of third-party risk have improved over time, but third parties represent an infinitely greater attack surface for threat actors. Attacks on highly connected targets have the potential to explode to a devastating scale. The Change Health care breach in 2024, for example, impacted 200 million Americans’ personal data, and disrupted services at nearly all U.S. hospitals, delaying care and access to treatment.

“Oversight has improved in the past couple years, but our insureds need to have better visibility into their vendors and understand what level of access they have,” said Erin Halchak, head of cyber at Liberty Mutual.

Underwriting Cyber Health Care Risk

Cyber insurers have evolved underwriting practice to keep pace with dizzying shifts in the health care threat landscape. Most recently, COVID lockdowns and a wave of breaches in 2020 and 2021 emphasized the need for ramped-up protections.

At a minimum, the table stakes for approval have changed. Baseline security measures like MFA must be in place.

“Without multifactor authentication, there’s a good chance you won’t get a quote,” said Farley. “The same is true for patch management, backups, email hygiene, endpoint detection and response (EDR) tools, and employee training.”

John Farley, managing director, global cyber liability practice, Gallagher

Tools like these are crucial, but their proper implementation, ongoing monitoring, and measurable outcomes are equally important to insurers. Underwriters are taking a closer look at health care companies’ risk management culture, including oversight, budget consistencies, and the frequency of incident response tabletop exercises — all of which can have a material impact on terms.

Risk analysis has gotten more technical, Halchak said. “We have a team of risk engineers that support us in scanning and analyzing risk. They answer technical questions when we do find vulnerabilities so we can help insureds improve their security posture.”

When it comes to third-party risk, underwriters are requiring more assessments, questionnaires, vendor audits, and contractual controls. They want to see inventories of vendors classified by access privileges, for example.

“We look for vendor management policies and redundancies for vendors so if one critical provider goes down, we can shift to another without missing a beat,” said Kratz. “We’re also looking at aggregation exposure against our book. Do we ensure those vendors of yours as well? And if so, if there’s a single point of failure between one of those vendors that impacts you, does that impact our portfolio as a whole?”

Effective Measures

The canon for cybersecurity best practices is always evolving but at present experts agree that those baseline “table stakes” measures — MFA, patch management, vulnerability scanning, managed backups, email hygiene, EDR, and employee training — are crucial, along with access management; data inventory, classification and segmentation; and vulnerability scanning.

Insurers not only want to see a defensive posture, but they also want to know how an organization will respond in the face of an inevitable breach.

“One of the most important things an organization can do is put together a written incident response plan, engaging multiple stakeholders and assigning roles, responsibilities and procedures — and then practice it,” Farley said. “We’ve seen too many organizations panic simply because they haven’t practiced for an attack. They engage the wrong resources and by then it’s too late. It’s very hard to walk back a response.”

A common problem Heddleston has seen in her practice is an organization detecting an intrusion but underreacting, relying only on the IT team to fix the issue. Often, she said, the problem metastasizes into a full-scale ransomware attack after it is deemed “contained.”

The most successful and well-protected insureds are the hospitals and providers that treat cybersecurity as a holistic concern.

“This is not just an IT problem,” Halchak said. “It’s your entire operating system and your network. Your enterprise. Your business process dependencies, your data flows, and your vendor ecosystem.”

Partnering with Policyholders

Now, more than ever, cybersecurity insurers are working closely with insureds to prepare them for and help them guard against the many digital threats they face today. Indeed, Halchak said, underwriting has become less of a “yes/no” decision and more of a process of working with the would-be insured to assess vulnerabilities and make security recommendations and help them achieve a more manageable risk profile.

“Once a policy holder comes onboard, we have post-binding calls with claims and risk engineering. We want to fully understand the insured’s exposure so we can provide the best coverage and solutions for them,” Halchak said.

Insurers provide a curated list of vendors with pre-negotiated rates from breach coaches to forensic accountants to incident response vendors to ransom negotiators — a team covering every needed discipline for every cybersecurity scenario.

After an incident occurs, insurers want to stay in close contact and help support the customer going forward, further emphasizing the team approach.

“We have a post-mortem talk about how this happened and what we could have done differently or better. Maybe there are improvements that could be made on the carrier side or in working with incident response teams,” Halchak said.

Emerging Threats

Cybersecurity attacks on health care are existential threats, both to organizations and patients. Current and oncoming dangers are always top of mind for executives, and at the moment that means ransomware.

“From a health care perspective, ransomware just doesn’t lock systems down,” Farley said. “It locks lives down. Every second offline is a second that patients can’t afford to lose.”

While the Change incident didn’t result in loss of life, that fear looms large amid the possibility of future ransomware attacks.

And then there’s AI. Though AI will continue to advance cybersecurity systems and tools, it has already become dangerous in the hands of bad actors, and its potential impacts for destruction are largely unknown, whether through shadow AI tools, poisoned data sets, the creation of synthetic identities, or the disabling of records and tools.

Add to all of the above the ever-more byzantine maze of connected medical devices.

“Not only are we seeing more attacks but the threat of more connected medical devices such as pacemakers,” Kratz said. “The life and death nature of the threat really scares me quite a bit. We’re seeing more insurers provide coverage for cyber-related property damage and bodily injury so it’s a potential emerging risk in the health care space.”

A Sustainable Future

Health care organizations will always hold and use patient data, but it’s how they manage that inherent risk that will determine their resilience. Strategic cybersecurity investments will be key — establishing baseline technical controls and forging cultural change within.

“The leadership needs to have broad visibility into risk metrics inside their organization and conduct continuous validation like evidence-based assessments,” Halchak said.

On the insurance side, long-term sustainability will require a “resilience first” approach to underwriting. Kratz said.

“We want to reward insureds with those provable recovery capabilities, recovery time objectives, and tested backups. Five or six years ago, we were really just looking for checkboxes on the preventive controls. But now you want insureds to actually implement governance objectives. Health care is a profitable industry class, but it’s also an altruistic one. We want to keep protecting these organizations.” &

Elisa Ludwig is a contract writer based outside Philadelphia. She has written extensively about cybersecurity issues for the Junto blog on the eRiskHub. She can be reached at [email protected].

The Mental Health Crisis is Changing — Here’s What Insurers Need to Know

As acute mental health cases surge and legal exposure grows, carriers are facing unprecedented challenges in claims handling and underwriting decisions.

By: Philadelphia Insurance Companies | March 2, 2026

The mental health landscape is undergoing a dramatic transformation. Where providers once focused on routine outpatient therapy, they’re now contending with more acute crisis situations — a shift that can be attributed to a variety of factors.

Societal pressures have intensified mental health challenges across every demographic. For insurance carriers, this evolution presents a complex set of emerging exposures that demand expertise, swift decision-making, and proactive risk mitigation strategies.

“The mental health landscape is shifting from outpatient therapy to more acute care,” said Valerie Beatrice, Underwriting Product Specialist, Human Services at Philadelphia Insurance Companies. “This shift is driven by barriers to outpatient therapy, including insurance hurdles, stigma, and limited availability of care due to workforce shortages.”

The implications are profound. When individuals finally access care, they arrive in heightened crisis states — situations that carry significantly greater risk for self-harm or harm to others. These are cases that might have been resolved through early intervention at a lower level of care, but instead demand intensive crisis stabilization resources.

Why Mental Health Challenges Are Intensifying Across Society

Valerie Beatrice, Underwriting Product Specialist, Human Services, Philadelphia Insurance Companies

The drivers behind the increased mental health demand are multifaceted and interconnected. Economic uncertainty, workplace stress and the lingering effects of the pandemic have created a perfect storm of societal anxiety.

“Significant societal changes are driving this trend,” Beatrice said. “The pandemic, economic stressors, and rising anxiety from uncertainty and work stress have created considerably more mental health challenges across society.”

This surge in demand has coincided with a strategic expansion in youth and family services. Increased funding for school-based interventions reflects a shift in philosophy — keeping families together rather than placing children with behavioral challenges in group homes or institutions. While this approach represents a more humane care model, it simultaneously creates new underwriting challenges.

“There has been increased funding for school-based services aimed at meeting the needs of individuals requiring early intervention, particularly with the goal of keeping families together,” Beatrice explained. “However, this approach requires family-based services and creates a tougher exposure.”

The extended tail risk associated with youth services cannot be underestimated. When a child receives services, abuse claims can still be filed after they turn 18 years old, with state nuances giving longer deadlines, significantly extending the claims runway compared to adult-focused services. Combined with the general complexity of working with minors, including heightened potential abuse challenges, these exposures demand careful underwriting and monitoring.

New Treatments, Regulatory Ambiguity, and Coverage Uncertainty

Emerging psychedelic-assisted treatments like ketamine and psilocybin are gaining traction in the mental health field, offering hope to patients resistant to traditional therapies. More mental health providers are beginning to offer these treatments, and there is considerable anecdotal evidence and clinical studies supporting their effectiveness.

Yet here is where regulatory reality intersects with clinical innovation and creates significant challenges. “Emerging treatments, including ketamine and psilocybin, are gaining traction with mental health providers,” Beatrice said. “Some of these treatments are expected to receive FDA approval in the near future, and we continue to see increased research and funding of psychedelic-assisted treatments.”

However, the regulatory framework has not kept pace with clinical advancement. “Psychedelic-assisted treatments have not yet cleared federal hurdles” Beatrice noted. There is a patchwork of state-level reforms creating fragmented regulatory guidance and these treatments are still developing consistent protocols. “Consequently, carriers must form their own positions on coverage.”

This regulatory gap leaves carriers in an uncomfortable position. Without clear federal or state guidelines, many develop ambiguous policy language that neither explicitly covers nor excludes these emerging treatments. This ambiguity creates underwriting uncertainty and potential claims exposure when coverage disputes arise.

Another challenge specific to mental health treatment is telehealth and hybrid delivery models of care. Virtual care has become a standard and permanent component of mental health services due to increased access and convenience, but serving patients across multiple states with varying regulations creates jurisdictional complexity and licensing concerns. Virtual care brings a nuanced aspect to malpractice liability as the standard of care remains of unchanged from in person treatment, but with added challenges of remove visits.

The increased reliance on telehealth also creates additional cybersecurity and data privacy risks. This shift in care can create coverage gaps for insureds due to new and complex risks not always addressed in traditional commercial liability policies, potentially leaving providers exposed.

Social Inflation and Nuclear Verdicts in Mental Health Claims

Perhaps the most pressing concern for carriers is the intersection of mental health claims and social inflation. Suicide cases, in particular, combine powerful emotional narratives with substantial jury sympathy, creating conditions ripe for outsized awards.

“Like many social service organizations, the mental health sector is particularly impacted by social inflation,” Beatrice said. “Suicide cases combine emotional impact with strong jury sympathy. When these cases go to trial, they experience significant hindsight bias and severe non-economic damages. These factors often lead juries to award large nuclear verdicts.”

The legal vulnerability is significant. Families can hold treating professionals legally responsible when a patient in crisis takes their own life. These high-severity claims have created substantial market pressures—forcing carriers to increase rates, raise deductibles and self-insured retentions, and increase reinsurance requirements.

How Expert Support and Claims Handling Excellence Mitigate Risk

Navigating this evolving landscape requires more than traditional underwriting processes. Carriers need access to subject-matter expertise, on-site facility evaluations, and dedicated claims professionals experienced in mental health exposures.

With two decades of experience in the mental health sector, Philadelphia Insurance Companies (PHLY) has positioned itself as a resource in this space.

“PHLY has been in the mental health space for twenty years,” Beatrice said. “We have a great team of underwriters with extensive experience and expertise in this field. We also have a partnership with the Suicide Prevention Resource Center, an organization focused on evidence-based suicide prevention strategies.”

Beyond underwriting, the company deploys a team of risk management professionals who conduct on-site facility visits and phone consultations. These professionals evaluate physical environments and operational practices, providing specific guidance and protocols.

“We have a team of risk management professionals who can visit insured sites to provide on-site assistance and conduct phone consultations to offer expert advice,” Beatrice explained. “They excel at evaluating facilities and providing specific guidance, such as recommendations for anti-ligature equipment, crisis de-escalation protocols, and better approaches to handling particular situations.”

When claims do arise, the company brings the same specialized expertise to claims handling, ensuring that complex mental health exposures receive appropriate attention and resolution strategies grounded in industry knowledge.

Looking Forward

The mental health treatment landscape will continue to evolve. As barriers to outpatient care persist, acute presentations will likely remain prevalent. Emerging treatments will advance toward regulatory approval, requiring carriers to develop clearer coverage positions. Youth and family services will expand further, extending tail risk exposure.

For insurance carriers serving the mental health sector, success requires a combination of elements: underwriting expertise, current knowledge of emerging treatments and legal precedents, on-site facility evaluation capabilities, and claims-handling excellence. As Beatrice noted, “PHLY is known for exceptional customer service and outstanding claims handling. We have considerable expertise in the mental health sector as well.”

Organizations seeking to navigate these challenges effectively need partners who understand both the clinical dimensions of mental health care and the unique risk profiles these services present.

To learn more about specialized mental health insurance solutions, visit phly.com.

This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Philadelphia Insurance Companies. The editorial staff of Risk & Insurance had no role in its preparation.

Philadelphia Insurance Companies (PHLY) offers product-specific resources, alliances, and service capabilities to achieve a multi-faceted approach to risk management, including safety program development, site audits, and training (including interactive web-based training). We offer a wide range of products and value-added services at financial terms to be agreed upon to help you achieve your risk management goals.

When Cyber Risk Becomes a Critical Risk in Health Care