Cyber Insurance Claims Fall But Ransomware Losses Increase

Posted by Steve Alder

There’s good and bad news on the ransomware front. Attacks are down year-over-year; however, successful attacks are proving even costlier to mitigate, according to the Mid-Year Risk Report from the cyber risk management company Resilience. The company saw a 53% reduction in cyber insurance claims in the first half of the year, which indicates organizations are getting better at preventing attacks; however, when ransomware attacks succeed, they have been causing increased financial harm, with losses 17% year-over-year. While ransomware accounted for just 9.6% of claims in H1, 2025, ransomware attacks accounted for 91% of incurred losses.

On average, a successful ransomware attack causes $1.18 million in damages, up from $1.01 million in 2024, and the cost is even higher in healthcare. Resilience’s healthcare clients suffered average losses of $1.3 million in 2024, and in the first half of 2025, some healthcare providers faced extortion demands as high as $4 million. While it is too early to tell what the severity of claims will be in 2025 until claims are settled, Resilience said there are indications that the average severity of incurred losses for healthcare ransomware attacks this year could be $2 million, up from an average of $705,000 in 2024 and $1.6 million in 2023.

One of the most active ransomware groups this year has been Interlock, which has attacked many healthcare organizations. In a concerning development, Interlock has been observed stealing cyber insurance policies and using them to benchmark and set higher ransom demands. In at least two ransomware attacks, the threat actor referenced the victim’s cyber insurance policy in the ransom demands, and in at least one case, set the ransom demand to just below the policy payout limit.

Resilience warns that cyberattacks are increasing in sophistication and that AI is increasingly being leveraged for social engineering and phishing campaigns. Social engineering and phishing attacks were linked to 88% of incurred losses in H1, 2025. AI-assisted phishing campaigns are more difficult for users to identify and for organizations to block. The success rate of traditional phishing and social engineering attempts is 12%, compared to 54% for AI-assisted attacks. Resilience reports that 1.8 billion credentials were compromised in H1, 2025 alone, an increase of 800% since January 2025. Social engineering and phishing stood out as leading causes of attacks, along with the inadvertent disclosure of sensitive data due to errors made using tracking technologies.

HIPAA Security Rule Compliance May Not Sufficiently Reduce Risk

Resilience cited one example of a healthcare provider that had invested significantly in cybersecurity yet still fell victim to an attack. The investigation revealed that while reasonable decisions had been made concerning cybersecurity, there were naturally trade-offs due to budgetary constraints. Those tradeoffs meant vulnerabilities were created that were ultimately exploited. Despite investing in cybersecurity, the organization’s risk assessments had not been updated in around four years, which is an aspect of compliance that the HHS’ Office for Civil Rights is actively enforcing due to its importance on security posture.

While the organization initially tested its endpoint protection to ensure it was effective, there was no routine testing after implementation to ensure those measures continued to provide adequate protection. Vendor risk management largely consisted of checks of security policy documents, rather than active monitoring, which only occurred for a few vendors. Incident response plans and disaster recovery exercises failed to consistently meet the organization’s recovery objectives, but the issue was not addressed due to limited resources and competing priorities. Gaps were identified in its backup procedures, as the threat actor was able to encrypt clinical images that had been missed from backups. That gave the threat actor significant leverage in ransom negotiations. The organization found that its assumed security posture bore little resemblance to its actual defensive capabilities.

Cybersecurity Recommendations for Healthcare Organizations

Naturally, there will be cybersecurity tradeoffs with budgetary restrictions, but the security gaps identified in that case study are all too common in healthcare. Resilience suggests that these security gaps are often a consequence of a focus on HIPAA compliance. The problem is that HIPAA only sets baseline standards for security, and the HIPAA Security Rule is more than 2 decades old.  A focus on compliance may help avoid regulatory penalties, but may not effectively reduce risks or adequately protect against modern threats.

“Organizations deploying disconnected security tools without strategic coordination create gaps between systems, while annual assessments become check-box exercises using outdated measures of effectiveness,” suggests Resilience. “Effective healthcare cybersecurity requires quantifying cyber risks in financial terms rather than relying on subjective ratings. Loss exceedance curves model potential impacts based on organization-specific factors, enabling leaders to understand exactly what risks could cost in business disruption, recovery expenses, and regulatory fines. When expressed financially, security discussions shift from technical justifications to strategic investment decisions.”

Based on its analysis of the current threat landscape, Resilience recommends healthcare organizations prioritize the following areas to improve their cybersecurity posture and limit the harm of a successful attack

  • Implement a comprehensive backup strategy with particular attention to imaging files, databases, and system configurations
  • Ensure regular tests are conducted to validate recovery capabilities and timeframes under realistic attack scenarios
  • Treat your cyber insurance policy as part of your crown jewels, and ensure it is properly secured
  • Implement robust training programs that address phishing, social engineering, and proper data handling procedures
  • Ensure there is continuous monitoring of third-party vendors’ security postures
  • Adopt methodologies that translate cyber risks into financial terms to allow leadership to make informed investment decisions based on actual risk reduction potential rather than compliance
  • Implement and regularly test your incident response plan, including patient safety considerations and regulatory notification requirements

The post Cyber Insurance Claims Fall But Ransomware Losses Increase appeared first on The HIPAA Journal.

The Human Side of HIPAA Privacy is Patient’s Rights

Posted by Amy Schultz

Almost everyone gets into healthcare for one reason: to help people. Whether it’s at a hospital as a provider or a corporate office as a Privacy Officer, the goal tends to lean towards helping those in need.  In the healthcare sector, what comes to mind when you think of Patient’s Rights? Hopefully you thought about the different rights patients have under HIPAA.  The right to Access records, Restrict Disclosure of records, amend records, confidential communication of records, disclosure of accounting of records, and right to file a HIPAA complaint. Your organization should have a process or practice in place on how to address each of these.

A patient comes in for an employer paid pre-employment drug screen. They sign the HIPAA form and proceed with the service. The next day the patient contacts the center and says they would like to revoke their authorization. What do you do? A recurring patient emails the hospital requesting an amendment to their medical record. What do you do? A patient calls the clinic and requests a copy of their medical records to be sent to them via email. What do you do? These requests can seem trivial and be dismissed as headaches but are central to trust with a patient and a compliant privacy program. It is another way we can help our patients. Whether as simple as a record request or as complicated as a revocation request, we are required to treat with importance and help our patients and organization through this process. Every one of these requests reflects a concern or vulnerability from a patient. So, your readiness and ability to humanize the process while respecting their rights is, in my opinion, supreme.

Treating patient requests seriously reinforces that privacy is not just a regulation, but a core value of your organization. As a Privacy Officer creating an environment that puts safeguarding patients’ information at its forefront also would mean safeguarding their rights as patients. Each request should be reviewed and handled timely with your organizations standardized practices. In my opinion, the more prepared you are to handle the easier it will be once these requests come in, and they will come in. Training your staff to recognize and correctly route or address these requests timely is critical. This will help reduce delays and frustrations for both staff and patients. Failure to address can lead to patient complaints and OCR involvement. Things we absolutely want to avoid.

When responding to these requests, doing so with compassion, especially when they can’t be granted, is important to establish and keep the patients trust and cooperation through the process. When a patient is told an amendment request is denied, this can be frustrating for the patient and understandable. Showing compassion while still providing the required determination, in my opinion, is best practices for the most desirable outcome for the patient and organization.

In my experience, patients want to be heard. They don’t want to feel like they are just a number in a EMR system. When a HIPAA complaint comes into my privacy office, the first thing I do is listen. When an amendment request comes in, the first thing I do is let the patient know we have received their request, and we are internally reviewing. I am letting them know they are heard. The rest is following the process in place. Remembering to be HIPAA compliant and care at the same time.

Responding to HIPAA complaints and amendment requests are given rights under HIPAA and you should put yourself in the shoes of the patient. How would you want to be treated if it was you requesting these same rights granted to all of us under HIPAA? We can’t lose sight of the reason why people get into healthcare, which is to help people. I recommend, building a privacy program that reinforces the importance of helping people. Be relatable, safeguard, and address these requests with care. Remembering the reason most get into healthcare is to help people. So, let’s help them one patient request at a time.

The post The Human Side of HIPAA Privacy is Patient’s Rights appeared first on The HIPAA Journal.