In 2024–2025, the Change Healthcare ransomware attack rippled across the market and, according to federal tallies updated in August 2025, exposed data on roughly 192.7 million people, making it the largest healthcare-adjacent breach on record and a stark reminder of how deep the exposure can run when a critical node is compromised link.
Insurers are custodians of unusually complete consumer dossiers: identity, financial history, and often health information.
What makes insurers tempting targets is not only the quantity of data but its quality. Underwriting and claims files link Social Security numbers, driver’s license details, payment credentials, and medical or pharmacy data to a single identity. That combination fuels identity theft and fraudulent claims at scale, and it raises the financial stakes when incidents occur. IBM’s 2024 breach study placed average breach costs in the financial sector well above the global mean, underscoring why prevention and faster containment matter in this industry link.
The risk is compounded by the way insurance actually works. Most carriers and producers depend on sprawling ecosystems of administrators, brokers, law firms, analytics vendors, mail houses, and payment processors. Each connection is an exchange point for sensitive data. The 2023 MOVEit file-transfer exploit illustrated how a single third-party vulnerability could cascade through insurers and retirement plans; Genworth publicly confirmed that data handled by its vendor PBI Research Services was exposed via MOVEit.
-- Third-party exposure is not a corner case. It is the ordinary state of modern insurance operations.
Recent incidents show the variety of failure modes. In April 2024, Kaiser Foundation Health Plan reported that web and app tracking technologies had transmitted member data to third parties, affecting approximately 13.4 million people. No classic “hack” was required; misconfigured pixels were enough to trigger a mass notification and reputational harm link.
Attackers’ playbooks keep evolving, but many of the most common incident types remain familiar: phishing-driven credential theft, malware including ransomware, data exfiltration for extortion, and denial-of-service attacks that interrupt core services. European insurance supervisors flagged this pattern in their review of cyber risk for insurers, a finding that tracks with what many U.S. carriers experience operationally when outages or lockouts ripple through claims and policy systems link.
Trust is the product. Digital convenience cannot come at the expense of transparency and control. Consumers now assume they can bind coverage on a phone, submit photos for an auto claim, or check an explanation of benefits online. That means more endpoints, broader API exposure, and frequent data interchange with partners. It also means breach fallout is no longer limited to legal bills and call-center overtime. There is an enduring hit to brand equity when the company’s promise to protect customers’ information is called into question.
Regulators have responded with sharper rules and clearer lines. New York’s Department of Financial Services has tightened its Cybersecurity Regulation, with phased 2024 milestones and enhanced obligations for larger “Class A” companies. The framework centers on risk assessments, stronger identity and access controls, governance accountability, and faster incident reporting—guardrails that, in practice, are becoming a floor for national programs because of New York’s market gravity link.
At the same time, state insurance regulators have been converging on a common baseline through the NAIC Insurance Data Security Model Law. As of October 31, 2025, twenty-eight jurisdictions had adopted versions of the model, with another pending. That patchwork is binding together into an operationally coherent set of expectations around risk assessments, security programs, board oversight, and event notification link.
Regulation is moving toward outcomes: prove you can prevent, detect, respond, and recover—continuously.
Strengthening cybersecurity in insurance starts with basics executed well and verified continuously. Limit standing privileges and require phishing-resistant multi-factor authentication across employee, producer, and vendor access. Inventory data flows so you can actually shut off exposure when contracts end. Treat third-party due diligence as a living process, not a questionnaire at onboarding. Encrypt at rest and in transit, and measure detection-and-response times the way you measure loss ratios—because those minutes and hours change the cost curve when something goes wrong.
Finally, communicate like a fiduciary of customer trust. If tracking tools are deployed on consumer-facing sites and apps, disclose their function, configure them to avoid sensitive data capture, and validate those controls regularly. If an incident occurs, say what happened, what data was involved, and what you have changed to prevent a repeat. The industry’s credibility depends on it.
For carriers and producers, the mandate is clear. You cannot stop every attack, but you can narrow the blast radius, shorten the time to recover, and prove to regulators and customers that security is baked into how you operate. That is what resilience looks like in an industry that doesn’t just price risk—it carries it.