A Medical Practice's $380K HIPAA Breach — Covered by Cyber Liability

A multi-physician orthopedic practice in Georgia operated three locations with 14 providers and 40 staff members. The practice managed electronic health records (EHR) for approximately 28,000 active patients and generated $6.5M in annual revenue.

The practice had general liability and professional liability (malpractice) insurance, but the managing partner had declined cyber liability coverage, believing their EHR vendor's security was sufficient and that HIPAA breaches only happened to large hospital systems.

A staff member clicked a phishing link disguised as a patient portal notification. The ransomware encrypted the practice's entire EHR system and exfiltrated records for 8,200 patients — including names, dates of birth, Social Security numbers, insurance information, and medical diagnoses.

The attackers demanded $75,000 in Bitcoin. The practice's IT consultant recommended against paying, but the practice had no offline backups less than 90 days old. They faced: $75K ransom (which they ultimately paid to recover data), $85K in forensic investigation, $62K in mandatory HHS breach notification to 8,200 patients, $48K in credit monitoring services, and $110K in HHS Office for Civil Rights (OCR) settlement for HIPAA violations. Total: $380K.

The malpractice policy explicitly excluded cyber incidents. The general liability policy excluded electronic data. The practice was fully exposed.

We placed a healthcare-specific cyber liability policy four months before the breach. The policy included $1M in first-party coverage (forensics, notification, credit monitoring, ransomware payments) and $1M in third-party coverage (regulatory defense, HIPAA fines, patient lawsuits).

The policy also included a 24/7 breach response hotline with HIPAA-specialized attorneys and forensic investigators who understood healthcare compliance requirements — critical because HHS has strict 60-day notification timelines that start from the date of discovery, not the date you hire a lawyer.

The cyber policy covered the entire $380K — including the $75K ransom payment (with carrier pre-approval), all forensic and notification costs, and the $110K HHS settlement. The breach response team had notifications mailed within 28 days, well under the 60-day HIPAA deadline.

The annual premium was $4,800. The practice also implemented the carrier's recommended security improvements (MFA, encrypted backups, phishing training) which qualified them for a 15% premium discount at renewal. No patients filed individual lawsuits, largely because the notification and credit monitoring response was handled professionally and promptly.

Related Coverages