Yundra
← All articlesRisk & Audit

Do Solo Therapists Need Cyber Liability Insurance? Here's the Real Answer

10 min read

Picture the worst Tuesday of your professional life. Your laptop is gone — lifted from your car, or locked up by ransomware, or just hacked while you were on vacation. On it: intake forms, progress notes, contact info, maybe a spreadsheet of client emails you swore you'd move somewhere safer.

Now picture calling your malpractice carrier to report it. And picture the adjuster gently explaining that this particular nightmare isn't covered.

That's the gap most solo therapists don't know they have. You almost certainly carry professional liability insurance — it's practically a reflex for licensed clinicians. But cyber liability coverage? That's the one almost nobody buys, and it's the one that handles the exact disaster a small practice is most likely to actually face.

Let's talk honestly about whether you need it, what it does, and what it costs — because the real answer surprises most people.

What malpractice insurance actually covers (and doesn't)

Your professional liability policy is built for clinical risk. It's there for allegations that your treatment caused harm — a boundary violation, a missed risk, a claim that your clinical judgment fell below the standard of care. That's its lane, and it's an important lane.

A data breach is a completely different animal. Nobody's alleging your therapy hurt anyone. The problem is that protected health information got exposed. And most malpractice policies either say nothing about that scenario or contain an explicit exclusion for cyber events, data breaches, and privacy violations.

Some carriers offer a small "endorsement" — a few thousand dollars of breach-response coverage tacked onto a malpractice policy. That's better than nothing, but it's often a fraction of what a real breach costs, and it's easy to assume you have more than you do. The honest move is to read your declarations page. If you can't find clear cyber language, assume you're uncovered.

What cyber insurance actually pays for

This is where it clicks for most people, because the line items map almost perfectly onto what a HIPAA breach forces you to do. A good cyber policy typically covers:

  • Breach notification costs. When PHI is exposed, the Breach Notification Rule (45 CFR 164.404–164.408) requires you to notify affected individuals, and for larger breaches, the media and HHS. Drafting, printing, and mailing those notices — for every affected client — adds up fast.
  • Forensic investigation. Figuring out what actually happened. You'll likely need a security firm to determine what was accessed, how, and whether the exposure is ongoing. You can't write a competent breach notice without this, and you can't bill it to anyone.
  • Legal defense and counsel. A breach lawyer ("breach coach") guides you through your obligations, deadlines, and any regulatory response. This is specialized work, and the hourly rates reflect it.
  • Regulatory fines and penalties where insurable. HIPAA settlements with the Office for Civil Rights can be significant, and some policies help with the defense costs and certain penalties associated with an investigation.
  • Credit monitoring and identity protection for affected clients. Often expected, sometimes effectively required, and a recurring per-person cost.
  • Ransomware and extortion response. If your files are encrypted and someone's demanding payment, you want experts — and coverage — rather than a panic decision at 2am.
  • Business interruption. Some policies replace lost income if an incident takes your practice offline.

Notice the theme. Almost every one of these is a cost you'd otherwise pay out of your own pocket, at the worst possible moment, while also trying to keep seeing clients.

The real cost of a breach for a solo practice

People assume a breach is only catastrophic for hospitals and big groups. The opposite is closer to the truth — a solo practice has no in-house legal team, no IT department, and no cash cushion to absorb a five-figure surprise.

Here's a grounded picture. Breach notification alone can run anywhere from roughly $5,000 to $20,000 or more for a solo practice, depending heavily on how many clients are affected. That's before you've paid for forensics, before legal counsel, before credit monitoring, before any regulatory exposure.

Stack the pieces and a "small" breach at a one-person practice can climb well into the tens of thousands of dollars. For a clinician whose entire business runs on a single income, that isn't an inconvenience — it's the kind of number that ends practices.

And the trigger doesn't have to be dramatic. The most common breaches at small practices are mundane: a stolen or lost laptop, a phishing email that gave someone your login, a misconfigured cloud folder, an email sent to the wrong client. You don't need to be hacked by a sophisticated criminal ring. You need one ordinary bad day.

What to look for in a policy

Cyber insurance isn't all the same, and the cheap-looking option isn't always real coverage. A few things to check:

First-party vs. third-party coverage

These are the two halves of a good policy, and you generally want both.

  • First-party coverage pays for your costs when you have an incident — the notification, forensics, credit monitoring, ransomware response. For a solo therapist, this is the workhorse. It's what handles the breach itself.
  • Third-party coverage pays when someone else sues you over the incident — a client claiming damages from the exposure of their information. Less common for tiny practices, but not impossible, and worth having.

If a quote only includes one side, ask why.

Retroactive date

Breaches are sneaky. An intrusion can happen months before anyone notices. The retroactive date is the earliest point an incident could have started and still be covered. A policy with a recent retroactive date may leave you exposed for a breach that technically began before the policy started but only surfaced after. Ask for the earliest retroactive date you can get.

Coverage limits and sublimits

Look at the headline limit, then look harder at the sublimits — the smaller caps applied to specific categories like notification or regulatory defense. A policy can advertise a $1 million limit while quietly capping breach-notification costs at $25,000. Make sure the sublimits actually match the costs you'd realistically face.

Claims-made vs. occurrence

Most cyber policies are claims-made, meaning the policy must be active both when the incident happens and when the claim is filed. If you let coverage lapse, you can lose protection for past incidents. If you ever stop carrying it, ask about "tail" coverage to bridge the gap — the same way clinicians think about tail coverage on malpractice.

What's required of you

Read the conditions. Some policies require basic safeguards — encryption, multi-factor authentication, current backups — and can reduce or deny a claim if you didn't have them in place. The reassuring part: these are the same safeguards HIPAA's Security Rule already expects of you. Doing them right protects you twice.

What it actually costs

Here's the part that changes minds. For a solo provider, cyber liability coverage typically runs in the range of $500 to $1,500 per year — sometimes less. Compared to the tens of thousands a single breach can cost, it's one of the cheapest forms of real protection a small practice can buy.

That price reflects how this market works. Insurers can offer small healthcare practices affordable rates precisely because they're betting most won't have a major incident — but the ones who do are very, very glad they were covered. For the cost of a few client sessions a year, you offload a risk that could otherwise erase your savings.

How to actually find a policy

You have a few practical paths:

  • Start with your malpractice carrier. Many of the big professional-liability providers for therapists and counselors now offer cyber coverage as a standalone policy or a meaningful endorsement. Ask them directly whether your current policy includes anything, and what a real cyber add-on would cost.
  • Look at insurers that specialize in small healthcare and professional practices. Several carriers build cyber products specifically for solo and small-group providers, with limits and pricing scaled to a one-person shop rather than a hospital.
  • Use a broker who knows healthcare. An independent broker can compare options across carriers and translate the sublimits and exclusions into plain English. For something this jargon-heavy, that's often worth it.

When you call, have a rough sense of your numbers ready: how many active and past client records you hold, what systems store PHI, and what safeguards you already have. The cleaner your security picture, the better your rate.

So — do you need it?

If you store any client information electronically — and essentially every modern practice does — then you carry breach risk whether or not you carry breach insurance. Cyber liability coverage doesn't prevent a breach. It catches you when one happens, so a stolen laptop becomes a stressful week instead of a financial catastrophe.

It connects directly to HIPAA, because breaches are the entire reason this coverage exists. Your Security Rule safeguards lower the odds of an incident. Cyber insurance handles the cost when one slips through anyway. Solo therapists need both — and most have only built half the wall.

Not sure if your practice is covered?

Situations like these are exactly why having documented HIPAA policies matters. Yundra's free risk assessment identifies the specific gaps in your compliance — so you're prepared before something unexpected happens.

Check your compliance score →

Would your practice survive an OCR audit?

Find out in 25 minutes. Our free assessment identifies every gap an auditor would flag — and shows you how to fix them.

Free · See your score instantly