Mara T. Roberts, ARM, ACI, CLU | President | WDA Insurance & Services Corp.
Dental practices sit at the intersection of two high‑risk profiles: healthcare and small business. Both are frequent ransomware targets, and HIPAA makes breaches costlier for dentists than for most main‑street offices. For the roughly 20% of U.S. practices that gross around $1 million a year, the question isn’t whether to buy cyber insurance, but how much. This article breaks down the numbers behind the common $1 million policy limit and shows when a practice should step up to $2 million or more.
Why the $1 million limit is today’s baseline
Most agents now recommend a $1 million per‑incident limit to single‑location practices because it covers the prototypical breach: the theft or encryption of 4,000 – 5,000 patient records. At an average of roughly $250 per record—including forensics, notification, credit monitoring and legal costs—response expenses alone can top $1 million. Add ransomware demands, regulatory fines and a week of lost production, and total costs often land between $1.2 million and $1.4 million. A $1 million policy therefore absorbs the bulk of the exposure while keeping premiums in the $1,500 – $3,000 range.
When a $1 million limit may not be enough
Cyber premiums scale gently—typically an extra $400–$600 per additional million of coverage—so it can be prudent to buy more if any of the following apply:
- Patient database exceeds 7,500 active and archived records
- Multiple specialists, heavy implant or imaging volume driving higher downtime risk
- Cloud‑hosted EHR/PMS where vendor outages are outside your control
- Practice assets (goodwill plus building) are valued above $3 million
- Contractual requirements from a lender, hospital or DSO stipulate higher cyber limits
- Digital asset restoration (rebuilding corrupted charts and images)
- Regulatory fines and penalties for HIPAA/FTC investigations
- Third‑party liability for patient or partner lawsuits
- Social‑engineering and funds‑transfer fraud coverage—seek at least a $100k sub‑limit
Practical checklist before you bind coverage
- Inventory active and archived patient record
- Model a two‑week outage; know the revenue you would lose
- Review leases, bank covenants and service agreements for minimum insurance requirements
- Request quotes at $1M, $2M and $3M to see the marginal cost
- Verify ransomware, social‑engineering and business‑interruption sub‑limits
- Reassess limits each renewal—growth or a second location changes the calculus
For many $1 million‑revenue dental practices, a $1 million cyber policy limit closely matches the most probable loss scenario and satisfies common lender and landlord requirements. Practices with larger patient bases, more complex digital workflows or higher asset values should consider stepping up to $2 million or $3 million. Because additional limits are relatively inexpensive, the decision ultimately hinges on your tolerance for the low‑probability, high‑severity breach that could otherwise become a balance‑sheet event.
Speak to one of the advisors at Professional Insurance Programs to discuss your cyber insurance coverage today!
References
- IBM Security. Cost of a Data Breach Report 2024.
- 2024 Data Breach Investigations Report.
- Ponemon Institute & IBM. Healthcare Data Breach Costs Study 2024.
- Beazley Group, CFC Underwriting, and Coalition cyber claims data (2024).