Cyber Insurance for a Dental Practice: Cost, Coverage, and HIPAA (2026)

Cyber insurance is the thing that pays when a breach turns into a bill. This page explains what it covers, what it leaves out, what it tends to cost a small practice, and the one question owners get wrong more than any other: does it actually cover a HIPAA penalty? We do not sell insurance, so nothing here is a pitch. It is what the primary sources and the policies themselves say.

What cyber insurance actually covers, and what it doesn't

A cyber policy is built in three layers, and it helps to know which layer pays for what.

First-party coverage pays your own out-of-pocket costs after an incident: hiring forensic investigators to find what happened, notifying affected patients, providing credit monitoring, restoring lost data, covering income you lose while the practice is down, and, where it is lawful, a ransomware payment. The U.S. Government Accountability Office describes these as the core losses cyber insurance was created to offset.

Third-party coverage pays when someone else comes after you: patients filing a class action, or a business partner claiming you failed to protect their data. This is the layer that would respond to a lawsuit like the one that produced the $3.3 million Absolute Dental settlement.

Regulatory coverage is the layer people misread. Almost every policy with a regulatory-proceedings clause will pay to defend you during an OCR investigation. The penalty itself is a separate question, and the next section is about exactly that.

What a cyber policy generally will not pay is worth knowing too. GAO notes that policies commonly exclude losses from systemic or catastrophic events such as acts of war, and that carriers increasingly add widespread-event exclusions and sublimits that cap how much is available for a specific loss like ransomware. Read those clauses before you assume a number is covered.

The table below maps the real costs of the Absolute Dental breach to what a cyber policy typically covers.

Does cyber insurance cover a HIPAA fine?

The honest answer is that it depends, and the difference between defense and the penalty is where it depends.

Defending an OCR investigation, the legal and response costs of dealing with the government, is usually covered under a policy's regulatory clause. The penalty itself is far less certain. Coverage turns on your state's law and your policy's exact wording. As a general legal principle, penalties that are punitive in nature are often not insurable as a matter of public policy, and some states limit insuring civil penalties at all. Other policies carry a specific sublimit for regulatory fines that is much smaller than the headline coverage amount. Two practices with the same loss can get two different answers.

The penalties themselves are set in tiers. Under 45 CFR 160.404, HIPAA civil money penalties run across four tiers based on culpability, from a violation you did not know about up to willful neglect left uncorrected. As of the amounts that took effect on January 28, 2026, the top of that range reaches $2,190,294 for identical violations in a year. In practice, settlements with small practices land far below the ceiling, usually in the tens to hundreds of thousands of dollars, because OCR weighs your size, your intent, and your cooperation. The ceiling is real. It is not the number a solo office should plan around.

Does HIPAA require a dental practice to carry cyber insurance?

No. There is no provision in HIPAA, the Privacy Rule, the Security Rule, or the Breach Notification Rule that requires a covered entity to buy cyber insurance. Anyone who tells you the law mandates it is mistaken.

What can require it is a contract. Your IT vendor's business associate agreement may oblige one side to carry cyber-liability coverage at a set limit. A lender financing your equipment, or a dental support organization you affiliate with, can require it as well. Those obligations are real, but they come from the contract, not from HIPAA. If a vendor's agreement is where you first ran into this, our guide on which vendors need a BAA covers the rest.

There is also a rule change worth watching, and worth describing accurately, because most write-ups get it wrong. In January 2025, OCR proposed a major update to the HIPAA Security Rule. As of mid-2026 it is still a proposed rule. It was published as a notice of proposed rulemaking in the Federal Register on January 6, 2025, the comment period has closed, and OCR has not issued a final rule. If it is finalized as written, it would remove the long-standing “addressable versus required” distinction in 45 CFR 164.306(d) and make multi-factor authentication and encryption mandatory. It would not require insurance. It would require the same controls insurers already demand.

How much does cyber insurance cost for a dental practice?

There is no single price, and any source that gives you one without caveats is guessing. The premium depends on how many patient records you hold, the security controls you can prove, your claims history, and the state you practice in. Industry sources put a small practice's standalone cyber premium in the low thousands of dollars a year for a $1 million limit, but treat that as a starting range, not a quote. Get an actual quote before you budget around it.

Two facts from primary sources put that premium in perspective. GAO has documented that healthcare faces lower coverage limits, rising premiums, and more exclusions than most other sectors, so a dental practice should expect a tighter market than a retail shop would. And IBM's 2025 Cost of a Data Breach Report puts the average healthcare breach at $7.42 million, the highest of any sector. That average is pulled up by large hospital systems, and a solo practice will not see anything close to it. But the response costs that drive it, forensics, patient notification, credit monitoring, and legal fees, still run into the tens or hundreds of thousands for a small practice, and you pay them whether or not OCR ever issues a penalty.

This is also where cyber insurance and compliance spending sit next to each other without overlapping. The cost of getting compliant, the risk assessment and the fixes, is a different line item from the cost of transferring what is left over to an insurer. We break the compliance side down in two other pieces: what a risk assessment costs and what full HIPAA compliance costs per year.

What insurers require before they will cover you (and how it overlaps with HIPAA)

Cyber underwriting has quietly turned into a security audit. Insurers no longer take your word for it. Major brokers report that carriers can decline coverage outright when the basics are missing, and many now run an external scan of your network before they quote. On the application, they ask, in writing, for your security risk analysis.

The same short list of controls shows up on nearly every application: multi-factor authentication, endpoint protection, backups that are tested and cannot be silently deleted, a written incident response plan, and a documented risk analysis. None of that is unfamiliar. CISA names the same controls as essential defenses against ransomware, and HIPAA's Security Rule already requires most of them. The work that makes you insurable is, almost line for line, the work that makes you pass an OCR audit.

There is a sting in the tail. If you attest to a control you do not actually have, and a breach happens, a forensic review can surface the gap and the claim can be denied. The controls have to be real, and you have to be able to show the documentation. That is the same standard OCR applies.

Here is how the application questions line up with the rule.

The bottom line

Compliance and insurance answer two different questions. HIPAA tells you what you are required to do to protect patient data. Doing it is what makes you both audit-ready and insurable. Cyber insurance is what pays when something gets through anyway. You need both, and neither one is a substitute for the other.

The fastest way to see where you stand is to check the controls an insurer and OCR both ask about: multi-factor authentication, encryption, backups, and a risk analysis. Our free HIPAA Risk Scorecard does exactly that. It takes a few minutes, it names your specific gaps, and it shows you what an underwriter or an auditor would find before they find it. From there, a short review walks you through closing them, which is also what tends to bring an insurer's premium down.

About the author

Dolev Arama is Hipsana's founder. He's the one behind the Scorecard and the short risk reviews it produces. He is not an attorney, and Hipsana is a publisher and referral service, not a law firm or a healthcare provider. The writing here starts where the rules actually live, at HHS, OCR, and NIST, and gets checked against their current text before it goes up. If a line can't be sourced, it doesn't run. More about Hipsana →

Sources

• U.S. District Court for the District of Nevada, Jordan v. Absolute Dental Group, LLC (proposed class-action settlement, final approval hearing 2026).
• HHS Office for Civil Rights, Breach Portal report, Absolute Dental Group (2025).
• 45 CFR § 160.404, civil money penalty amounts (eCFR, current).
• Federal Register, HHS civil monetary penalty inflation adjustment, effective January 28, 2026 (2026-01688).
• Federal Register, HIPAA Security Rule NPRM, January 6, 2025 (90 FR 800).
• 45 CFR §§ 164.306, 164.308, 164.312, Security Rule standards (eCFR, current).
• U.S. Government Accountability Office, Cyber Insurance: Insurers and Policyholders Face Challenges in an Evolving Market (GAO-21-477, 2021).
• U.S. Government Accountability Office, Cyber Insurance: Action Needed to Assess Potential Federal Response to Catastrophic Attacks (GAO-22-104256, 2022).
• Cybersecurity and Infrastructure Security Agency (CISA), #StopRansomware Guide.
• Federal Trade Commission, Data Breach Response: A Guide for Business.
• IBM, Cost of a Data Breach Report 2025 (healthcare figures).