PraxisMutual · Indemnity
All insights
Practice risk

Cyber incidents in clinics: what your indemnity actually covers

DO
Daniel Okafor
Head of Practice Risk & Cyber
3 March 2026·8 min read

A modern clinic runs on data. Appointment systems, electronic records, online bookings, cloud backups and connected diagnostic devices have made practices faster and safer — and far more exposed. When a cyber incident hits, the question members ask first is rarely technical. It is simply: am I covered? The honest answer is that it depends entirely on which policy responds, and most clinicians have never been shown where the lines fall.

Why clinics are a target

Health data is among the most valuable information criminals can steal. A patient record bundles identity details, Medicare numbers, contact information and sensitive health history in one place, and it cannot simply be cancelled and reissued like a credit card. Small and mid-sized practices are attractive precisely because they hold this data but rarely have a dedicated security team. The most common incidents are mundane rather than cinematic: a phishing email that harvests a staff login, ransomware that encrypts the practice server, or a misconfigured system that exposes records to the open internet.

The gap most clinicians miss

Traditional medical indemnity is built around your clinical care. It responds when a patient alleges harm from the healthcare you provided. A cyber incident is a different animal: the harm flows from a failure of your systems and your handling of data, not from a clinical decision. That distinction is where cover can fall through the cracks.

Indemnity protects the doctor for the medicine. Cyber cover protects the practice for the data. A connected clinic needs both, and they are not the same policy.

Many practitioner policies will respond to a privacy breach that arises directly from your own professional conduct — a confidentiality breach in the course of care. What they typically do not fund is the operational reality of a clinic-wide data breach: forensic investigation, system restoration, business interruption while you cannot access records, ransom-response specialists, and the cost of notifying every affected patient.

What good cyber cover actually pays for

When the worst happens, the bills arrive in categories most clinicians have never had to think about. Cyber cover is designed around them:

  • Incident response. Forensic IT specialists to find how the attacker got in, contain it, and confirm what data was reached.
  • Breach notification.The legal and administrative cost of telling affected patients and regulators — a serious data breach involving health information can engage mandatory notification obligations.
  • Business interruption. Lost income while your systems are down and you cannot bill or see patients normally.
  • Cyber extortion. Specialist support and, where lawful and advised, response to a ransom demand.
  • Third-party liability. Claims from patients or others whose information was exposed, and the cost of defending them.
  • Data restoration. Rebuilding records and systems from backups, or reconstructing data that was lost.

The Privacy Act dimension

In Australia, a practice that handles health information is bound by the Privacy Act and the Australian Privacy Principles, which govern how sensitive information is collected, used, secured and disclosed. Where a breach is likely to result in serious harm, the Notifiable Data Breaches scheme requires the practice to assess the breach and notify affected individuals and the regulator. These obligations sit on the practice entity, which is one more reason entity-level cyber cover belongs alongside individual indemnity.

Reducing the risk before you need the cover

Insurance is the backstop, not the strategy. The measures that prevent most incidents are unglamorous and effective: multi-factor authentication on every login, prompt patching of practice software, restricting record access to staff who need it, tested offline backups, and a short, rehearsed plan for who to call if something looks wrong. A practice that can show it took reasonable care also stands on far firmer ground if a claim or breach ever follows.

How Praxis approaches it

Where many insurers still treat cyber as an optional add-on or push it to a third party, Praxis includes privacy-breach and cyber cover as a standard part of clinic and Premier-level cover, because a connected practice is the norm, not the exception. The point is simple: a clinic should not have to discover the gap between “medical indemnity” and “cyber” in the middle of an incident.

The takeaways

  • Indemnity covers your clinical care; it usually will not fund a clinic-wide data breach.
  • Cyber cover pays for response, notification, downtime, extortion and third-party claims.
  • Privacy Act and breach-notification duties fall on the practice entity.
  • Prevention — MFA, patching, backups — is the cheapest cover of all.

Want to see what a connected clinic should carry? Explore clinic & practice cover.

Cover built around your practice

See your premium in under two minutes

Tell us about your practice and watch the full premium build — base, levies, GST, stamp duty and any government support you qualify for.

Get your estimate