In early 2024, the BlackCat ransomware crew got into Change Healthcare, the UnitedHealth-owned clearinghouse that processes roughly a third of U.S. medical claims. The systemic damage — pharmacies that couldn’t fill prescriptions, providers that couldn’t get paid, downstream insurers that couldn’t process anything — ran into the billions. The breach affected an estimated 100 million Americans.
That event was, for cyber underwriting, a “before and after” moment. Limits that looked generous in 2023 looked threadbare by 2025. Here’s how the market has actually moved.
Limit adequacy is back on the table
The classic mid-market cyber limit was $1M–$3M. For a 50-employee professional services firm with no special data exposure, that’s still defensible. For anyone holding meaningful PHI, it isn’t.
The math is straightforward: notification, credit monitoring and regulatory defence on a six-figure record breach now runs $30–$80 per record before you’ve paid a dollar of liability. A practice with 50,000 patient records is looking at $1.5M–$4M in first-party cost alone. Throw in a class action and ransomware demand and the $3M tower is gone.
What we’re now binding for healthcare practices in 2026:
- Solo / very small (under 5,000 records): $1M – $2M
- Mid-sized practice (5,000 – 50,000 records): $3M – $5M
- Multi-site / specialty group (50,000 – 250,000 records): $5M – $15M, with excess layers
- Larger systems or downstream services: $15M+, often in towers
This is meaningfully higher than 2023 norms — but the loss data has moved further. The premium has only partially kept up; the limit gap is now where most accounts are underinsured.
Contingent BI is the second hidden gap
The Change Healthcare event hurt everyone connected to Change Healthcare, not just Change itself. Pharmacies, providers, payers, RCM vendors — all of them lost weeks of revenue because someone upstream got hit.
That’s contingent business interruption. It’s a sub-coverage on cyber that triggers when a third-party service provider your firm depends on goes offline. Many smaller cyber forms exclude it or sub-limit it to a token amount. Many buyers don’t know to ask.
If your operation depends on a single vendor for claims processing, payments, EHR hosting or scheduling, contingent BI sized to a multi-week outage is no longer optional.
What to ask at your next renewal
- Record count and growth. If you’ve added 20% more patients since last renewal, your effective exposure is 20% higher even if everything else is constant.
- Per-record notification cost. Get the current average from your broker. If it’s gone up — it has — your limit needs to follow.
- Contingent BI coverage and limit. Specifically ask for the limit, not just whether it’s included.
- Excess layers above $5M. The pricing in this band has come down meaningfully since 2024. Stacking is cheaper than you think.
The Change Healthcare lesson isn’t that ransomware happened. It happened before. The lesson is that the cost — and the contagion — of a single attack now travels much further than the limits most buyers carry. Insurance markets have updated. Most buyers haven’t yet.
