Economic impact of healthcare cyber risks

Purpose: The healthcare sector is a primary target for cybercriminals, with health data breaches ranking among the most critical threats. Despite stringent penalties imposed by the U.S. Department of Health and Human Services Office for Civil Rights (OCR), vulnerabilities still persist due to slow detection and ineffective data protection measures. On the other hand, as organizations are often reluctant to disclose security breaches for fear of reputational and market share losses, penalties can serve as a useful proxy for quantifying losses and insurance claims. Methods: This study analyzes fines and settlements (2008–2024) using the traditional lognormal, general extreme value (GEV) and other heavy-tailed statistical models, including the geo-max-stable loglogistic law, and also the mixture models hyperexponential and hyperloglogistic. Results: Mixture models, either the hyperexponential or the hyperloglogistic, deliver the best fit for OCR penalties, and for yearly maxima, the best fit is achieved with the GEV distribution. Regarding Attorneys General fines, the hyperexponential model is optimal, with the GEV model excelling again for their yearly maxima. Hence, mixture models effectively capture the dual nature of penalty data, comprising clusters of moderate and extreme values. However, yearly maxima align better with the GEV model. Conclusions: The findings suggest that while Panjer’s theory for aggregate claims suffices for moderate claims, it must be supplemented with strategies to address extreme cybercrime scenarios, ensuring insurers and reinsurers can manage severe losses effectively.