Monday Morning, Locked Screens, and a $350,000 Lesson

The front-desk coordinator at a dental practice off Legacy Drive in Frisco clicks the power button at 7:45 AM. Instead of the familiar login screen, she’s staring at a red padlock icon and a message she’s never seen before: “Your files have been encrypted. Pay 3.2 Bitcoin within 72 hours or your data will be published.”

No patient records. No scheduling system. No digital X-rays. The phones still ring — but there’s nothing to look up, nothing to confirm, nothing to bill. The practice is functionally dead.

This isn’t hypothetical. In early 2026, Grand Prairie-based Pecan Tree Dental reported a data breach affecting 13,300 patients. Dental Group of Amarillo settled a class-action lawsuit for $1 million after a 2023 cyberattack — with allegations that the practice delayed patient notification in violation of Texas law. And we’ve written before about what happens when a cyberattack shuts down a Frisco business — the financial wreckage extends far beyond the ransom demand itself.

Proverbs 27:12 puts it plainly: “A prudent man foreseeth the evil, and hideth himself; but the simple pass on, and are punished.” The evil here isn’t abstract. It’s an industry that produced 636 ransomware attacks on healthcare in 2025 alone — a 58% increase over the prior year. Hiding yourself means building the right protection before the Monday morning you hope never comes.

This guide is your blueprint. Let’s walk through what’s actually at stake, what Texas law demands, and how the right cyber insurance policy transforms a practice-ending crisis into a recoverable event.

📘 Like our Facebook page for more insights like this — including real-time updates on Texas insurance laws, cyber threats targeting local businesses, and strategies to protect your practice and your family.

Why Medical and Dental Practices Are the #1 Target

Here’s the first-principles truth most practice owners miss: your patient records are more valuable than credit card numbers on the dark web.

A stolen credit card can be canceled in minutes. A patient record — containing a Social Security number, date of birth, insurance ID, medical history, and billing data — is a permanent identity package. Criminals use it for insurance fraud, tax fraud, prescription fraud, and synthetic identity creation. A single patient record sells for 10 to 40 times the price of a credit card number in underground markets.

Now combine that with the reality of how most practices operate: lean IT budgets, legacy software running on outdated operating systems, staff who click links in phishing emails, and third-party vendors (billing services, imaging software, cloud-based EHR systems) that create shared responsibility exposure. The HHS Office for Civil Rights doesn’t care whether the breach originated from your front desk or from your EHR vendor’s server — your practice is still on the hook for notification and compliance obligations.

There’s a reason healthcare tops the list of industries most in need of cyber insurance. The sector has been the most expensive industry for data breaches for 14 consecutive years. And the attackers aren’t slowing down — ransomware attacks on healthcare surged 58% in 2025, with an additional 50% spike in Q4 alone.

Think of it this way: a dental practice along the 380 corridor in Frisco or McKinney with 4,000 active patient files is sitting on a data vault that cybercriminals view as essentially unguarded. Your practice doesn’t need to be large to be a target. It just needs to be connected.

Texas HB 300: The Law Most Practice Owners Don’t Know About

Most practice owners have heard of HIPAA. Far fewer understand that Texas has its own privacy law — House Bill 300 — that goes further than federal requirements. And when you operate in Texas, you’re subject to both.

Here’s what makes HB 300 dangerous for the unprepared:

Broader definition of “covered entity.” Under HIPAA, covered entities are health plans, clearinghouses, providers, and their business associates. HB 300 expands that definition to include any person or organization that assembles, collects, analyzes, uses, evaluates, stores, or transmits protected health information. Your IT vendor, your billing company, even your cloud storage provider — they’re all covered under Texas law.

Faster timelines. HIPAA gives you 60 days to notify affected individuals. Texas requires it “as quickly as possible” but no later than 60 days — and if more than 250 Texans are affected, you must notify the Texas Attorney General within 30 days. Miss that deadline, and the AG can impose $100 per record per day in penalties, capped at $250,000 per breach — on top of any federal HIPAA fines.

Stacking penalties. A HIPAA violation can result in fines up to $50,000 per violation, maxing at $1.5 million per year. HB 300 adds Texas-specific penalties ranging from $5,000 to $1.5 million per year for wrongful disclosure of PHI. That means a single breach event can trigger two separate penalty tracks — federal and state — simultaneously. This is the dual liability that makes Texas one of the most punitive states in the country for data breach notification failures.

Mandatory training. HB 300 requires all employees who handle PHI to receive privacy training within 90 days of hire and at least every two years thereafter — customized to each employee’s role. Failure to document that training is itself a compliance violation.

The bottom line: if you’re a medical or dental practice in Frisco, Plano, Allen, McKinney, or anywhere in Collin or Denton County, you’re operating under a stricter regulatory regime than practices in most other states. Your healthcare cyber liability exposure is not just a federal issue — it’s a Texas-specific risk that demands Texas-specific preparation.

The Myths That Leave Practices Exposed

In our experience helping North Texas businesses navigate the truth about cyber insurance and data breaches, we hear the same dangerous assumptions from healthcare providers over and over:

• “We’re too small to be a target.” Reality: small practices are preferred targets because they rarely have dedicated IT security staff, active monitoring, or incident response plans. Issaqueena Pediatric Dentistry — a single-location office — was hit with ransomware in late 2025. 32 Pearls, a two-location dental practice in Washington, had 23,517 patient records compromised. Practice size offers zero protection against determined attackers.
• “My general liability or BOP covers cyber events.” Reality: standard general liability policies explicitly exclude cyber-related incidents. A business owner’s policy may include a cyber endorsement, but these typically cap coverage at $10,000 to $50,000 and exclude critical exposures like social engineering fraud, funds transfer fraud, and regulatory fines. Think of it this way: that endorsement is a first-aid kit on a construction site — better than nothing, but useless when someone needs surgery.
• “We’re HIPAA compliant, so we’re protected.” Reality: compliance and security are not the same thing. HIPAA compliance focuses on preventing breaches through policies and procedures. Cyber insurance covers what happens after defenses fail — and defenses will eventually fail. Even fully compliant organizations get breached. The question isn’t if; it’s when, and whether you’ll be able to recover.

What a Breach Actually Costs (The Numbers)

Let’s strip this down to the raw math — because understanding the true cost of cyber insurance in Texas starts with understanding what you’re insuring against:

Let’s make this concrete for a Frisco-area practice: a dental office with 5,000 patient records suffers a ransomware attack. At $398 per record, the exposure approaches $2 million — before you add forensic investigation costs, legal fees, mandatory patient notification, credit monitoring, business interruption losses during 10–14 days of system downtime, and potential regulatory penalties from both HHS and the Texas AG.

Meanwhile, stand-alone cyber coverage starts at roughly $79 per month. The premium-to-exposure ratio isn’t even close. This isn’t a luxury purchase — it’s basic financial stewardship.

Stand-Alone Cyber Insurance: What It Covers and Why It Matters

A proper stand-alone cyber liability policy for a medical or dental practice provides two layers of protection:

First-party coverage addresses the costs your practice incurs directly from a breach or cyberattack. This includes forensic investigation to determine what happened and what data was compromised, breach notification costs (legally required under both HIPAA and Texas law), credit monitoring for affected patients, data recovery and system restoration, business interruption coverage for lost income during downtime, and ransomware extortion payment coverage.

Third-party coverage protects you when someone else — a patient, a regulator, a business partner — comes after you. This includes legal defense costs, settlements and judgments from patient lawsuits, regulatory fines and penalties from HHS and the Texas Attorney General, and PCI-DSS fines if you accept credit card payments and aren’t fully compliant.

For most medical and dental practices, appropriate limits start at $1 million, with dedicated sublimits of at least $100,000–$250,000 for social engineering and funds transfer fraud. If your patient database exceeds 7,500 records, or if you use cloud-hosted EHR/practice management software where vendor outages are outside your control, consider higher limits. Understanding how much cyber liability protection your business actually needs is a conversation worth having before renewal — not after an incident.

Equally important: many carriers now require baseline security controls to qualify for coverage — multi-factor authentication (MFA), endpoint detection and response (EDR), documented incident response plans, and regular employee training. This isn’t red tape. These requirements align directly with HIPAA’s Security Rule and Texas HB 300’s training mandates, meaning the insurance qualification process actually helps you strengthen your compliance posture simultaneously.

The Agent’s Office® Advantage for Healthcare Practices

Here’s what changes when you work with an independent agency instead of buying a policy through a single-carrier portal or a tech company’s referral link:

We compare. The Agent’s Office® represents 75+ carriers. For cyber insurance in Texas, that means we can place your coverage with the carrier whose policy form, sublimits, and exclusions best match your practice’s specific risk profile — not the carrier that happens to pay the highest commission or the one your EHR vendor has a referral deal with.

We translate. Cyber policy language is dense. Exclusions for “failure to maintain” security controls, “retroactive date” limitations, “prior acts” carve-outs, and “war and terrorism” exclusions can quietly hollow out a policy that looks comprehensive on the surface. We read the forms so you don’t have to, and we flag the gaps before they matter.

We understand Texas. We know that your practice faces HB 300 obligations on top of federal HIPAA requirements. We know that understanding how cyber insurance claims actually work in Frisco requires local context — not a generic national playbook. And we know that a practice off Legacy Drive has different operational realities than a hospital system in Houston.

We build the whole protection architecture. Cyber insurance is one layer. We also help medical and dental practices evaluate their general liability, professional liability, business owner’s policy, and employment practices coverage to ensure there are no gaps between policies where a cyber event could slip through uninsured.