A single click on a phishing email turned into a costly lesson in cybersecurity, HIPAA compliance, and risk management.
Posted in Case Studies on Thursday, May 21, 2026
Midwest Spine Associates (MSA), a multi-provider chiropractic clinic, discovered on April 9, 2025, that its entire patient record system had been encrypted in a ransomware attack. An investigation later revealed the breach began 21 days earlier when a staff member unknowingly clicked a phishing link, giving attackers access to the clinic’s network.
By the time the attack was discovered, cybercriminals had already exfiltrated a database containing sensitive information for approximately 8,500 patients, including names, addresses, Social Security numbers, health insurance IDs, and clinical treatment notes.
What followed was an expensive and time-consuming response effort involving legal, technical, and regulatory obligations.
The Response
Under the HIPAA Breach Notification Rule, MSA was required to:
- Notify all affected patients via First-Class mail.
- Alert local media outlets because the breach involved more than 500 individuals.
- Report the incident to the Secretary of Health and Human Services (HHS).
- Offer 12 months of complimentary credit monitoring services to affected patients.
In addition to the notification requirements, the clinic also needed immediate technical and legal support to contain the attack and navigate regulatory compliance.
The Financial Impact
Costs escalated quickly due to the scale of the breach and the specialized services required to respond.
- Malware removal and system hardening: $15,000-$25,000
- Legal Counsel for HIPAA compliance and regulatory defense: $10,000-$20,000
- Printing, postage and administration of patient notification: $17,000
- Credit monitoring enrollment for affected patients: $8,500-$25,000
- Regulatory fines, penalties and settlements: $10,000-$50,000
Total costs: $60,500-$137,000+
1st Party vs. 3rd Party Cyber Coverage
Cyber insurance policies are typically divided into two separate coverage areas designed to address different types of losses.
1st Party Coverage (Data Breach Coverage)
Data Breach coverage generally helps reimburse the clinic for direct expenses related to managing the incident. This may include IT forensics, preparing official notification letters, mailing costs, and credit monitoring services for affected patients.
3rd Party Coverage (Cyber Liability)
Cyber Liability coverage helps protect the clinic against claims made by outside parties, including patient lawsuits, legal defense costs, settlements, and government-imposed HIPAA fines or penalties.
What Can We Learn?
A standard Business Owner’s Policy (BOP) may include Data Breach limits as low as $25,000 — far below the projected costs of a breach of this size. A standalone Cyber Liability policy with both 1st and 3rd party protections can help address the full range of forensic, notification, and legal expenses.
Maintaining a backup system physically isolated from unsecured networks, including the internet, can help protect critical data from ransomware and other cyberattacks. In this case, an isolated backup may have allowed the clinic to restore patient records without extended downtime or ransom demands.
While annual HIPAA security training is mandatory, adding phishing-awareness education can significantly reduce risk by helping employees recognize suspicious emails before a breach occurs.
Additional Resources
The above scenario is not based on a single case. Instead, it’s an example of what can easily happen without adequate insurance coverage, based on claims we’ve encountered.