Photo Credit: iStock.com/designer491

Cyberattacks are a growing threat to many industries, and the healthcare industry is no exception. In an effort to shield themselves from dangers such as hackers and cyber extortion, physicians would tremendously benefit from specialty cyber coverage and tailored liability insurance. When it comes to claims such as privacy lawsuits resulting from illegally released personal profiles, the majority of cyber insurance products are built to provide substantial liability insurance protection. All areas of the healthcare industry are potential targets, and thus, they must all do their part to protect the web of healthcare professionals and networks. Without this group effort, any single cyberattack within the healthcare industry could trickle down and branch out to adversely affect many additional entities, as occurred for Change Healthcare in February 2024.

In the spring of 2024, the healthcare industry was affected by numerous ransomware attacks. These attacks exposed healthcare organizations to significant disruptions in operations and released sensitive information, thereby making them more vulnerable to privacy class-action litigation. According to a June 2024 Wired article, the cybersecurity firm Recorded Future noted 44 ransomware attack cases within the healthcare industry. Not only did these attacks have a direct adverse effect on the immediately exposed entities, but they also led to many third-party liability claims.

Thankfully, physicians can protect their patients and organizations by adopting cyber insurance products and additional insurance products such as directors and officers (D&O) insurance, crime insurance, errors and omissions (E&O) insurance, and general liability insurance. Cyber insurance companies usually protect against privacy litigation due to hacking. Many also cover crisis management costs, forensic investigations, and regulatory defense costs. Regarding regulatory-risk exposure for people handling medical records, the lion’s share of cyber-insurance products will protect against regulatory actions and investigations. Insurance products such as commercial general liability insurance and E&O insurance have potentially huge value, even in the event of a cyber-related claim not related to hacking. For instance, if a healthcare organization experiences a failure in technology, E&O coverage could protect the entity and its physicians from liability pertaining to issues such as computer system malfunction.

Amid the increase in cyberattacks, however, courts are hesitant to accept insurance companies’ claims that their non–cyber-specific policies are intended for application to cyber-related costs. For example, in the 2023 Merck & Co. v. ACE Am. Ins. Co. case (NJ App. Div. May 1, 2023), the courts held that the “war risk” exclusion did not prohibit coverage for Merck’s losses incurred by the state-sponsored 2017 NotPetya malware attack. Decisions such as this have prompted the insurance industry to add exclusions specific to cyber threats, such as state-sponsored attacks. Given the diversity of cyber-related coverage, physicians must understand the various options.