5 Cyber Threats for Therapy Practices

By: Tom Hill
Hands typing on laptop in office with holographic login screen

The rise of telehealth technology has opened up a world of possibilities for therapy practices. However, while offering remote therapy appointments has plenty of benefits, it’s also important to remember that there will always be certain threats where new tech is introduced.

The number of cyber attacks against healthcare facilities has been steadily increasing in recent years. As such, practices must be both aware of the cyber threats they face and take steps to protect themselves.

In this article, we’ll look at five of the most common cyber threats to therapy practices and a few steps you can take today to avert them.


Ransomware attacks are a massive threat to the healthcare community and must be taken seriously. Studies have shown that around 66% of healthcare organizations in the U.S. were subject to ransomware attacks in 2021, which is a marked increase from previous years.

Ransomware is malware that prevents the user from accessing their systems until a ransom is paid. This means that practices wouldn’t be able to retrieve any personal information on their patients until the malware has been removed. There have been instances of criminals demanding upwards of one million dollars to decrypt the malware.


Criminals use phishing scams, also known as Business Email Compromise (BEC), as a way to get their hands on sensitive data.

They do this by tricking users into clicking a fraudulent link that takes them to a fake login page. Once they’ve input their data, the criminal can use that information to access the organization’s real systems. Then, they’re able to access the organization’s financial and patient data which they can then sell or use to commit identity theft.

Vulnerable Infrastructure

The majority of cyber threats target individual users. They rely on individuals making errors–such as downloading malware–that give criminals the access they need. But that’s not always the case. Criminals may also look for “open windows” within the organization’s technological infrastructure.

It’s much easier for criminals to access out-of-date software, especially if the software is known to have a security vulnerability. The developers of software systems are always updating their programs to plug gaps and increase security, but in many cases, these updates don’t occur automatically — the user has to actively hit the ‘update’ button. If they don’t, their system’s security will be compromised until the update is processed. It’s the digital equivalent of leaving your front door unlocked; doing so doesn’t necessarily mean that you’ll be burgled, but it makes it easier for criminals to gain access.

Stolen/Lost Equipment

Not all cyber attacks occur via remote access. Some happen due to direct access to devices that contain sensitive data, and the consequences can be significant. The theft of a work-related laptop, for instance, doesn’t just result in the loss of the value of the machine, but also all of the information held on the laptop.

It’s easy to see how a device could be lost or stolen in a world where remote work is more common than ever before. A therapist that temporarily leaves their laptop on a public table while they go to the bathroom may return to find that their computer — plus all of the patient information held on the device — is gone.

Intentional or Accidental Insider Threats

While your staff often doesn’t mean to cause harm, humans are fallible and accidents happen. Individuals may access emails without checking their origin, use work-related devices with their coworker’s logins, or be involved in any number of other instances that can affect the security of your system.

Unfortunately, while many of these scenarios are accidental, there are occasions when staff maliciously violate their practice’s system to steal patient information or financial data which they then sell to criminals.

What Happens Following a Cyber Threat?

Now that we’ve gone through how cyber criminals may target an organization, let’s consider what could happen if they’re successful.

The most obvious consequence of a cyber attack is loss of revenue. Cybercriminals don’t engage in their illicit activities for fun — they do so because of the financial incentive.

Once an attack is launched, healthcare organizations must investigate the breach as soon as they find out, potentially pause their operations due to loss of system access, replace compromised systems/machines, and pay any demanded ransom fee. None of those ventures will be cheap. In fact, they can greatly impact your practice’s bottom line. Indeed, the costs can be so significant that some organizations end up having to close their doors for good.

What Can a Therapy Practice Do to Protect Itself?

You can’t prevent a criminal from trying to cause you harm, but you can significantly reduce their chances of succeeding.

Educate Staff

Cybercriminals rely on human error for many of their activities, especially when conducting phishing scams. Train your staff to be on the lookout for suspicious emails, phone calls, and texts. If there are any doubts about the legitimacy of those messages, encourage your team to refer the communication to management.

Use Encryption

A well-encrypted network is much more difficult to breach than a poorly encrypted network. Make sure your systems use the latest technology and keep your software up-to-date.

Work With Experts

Cybercriminals are professional, so your defense should be, too. It’s better to hire a professional cyber security team rather than trying to combat the threat yourself.

Get Cyber Liability Insurance

Even if you take all the recommended steps, it’s still possible that you’ll experience a breach. Cyber liability insurance can ensure that you have an extra layer of protection in the event of a successful cyber attack.

Final Thoughts

Modern technology allows therapy practices to offer next-level standards of service to their patients, but it does come with risks. Take precautions and be aware of cyber threats that may be used against your practice and train your staff to recognize them when they arise. Additionally, consider investing in cyber liability insurance as additional protection to ensure that any such attack won’t significantly impact your business’s finances or daily functions.

About the Author

Tom Hill, Insurance Agent for the John Hill Insurance Agency

Insurance Agent

As a commercial insurance producer for the John Hill Insurance Agency, I work with our clients and business partners to ensure they are appropriately protected. I’m the third generation of commercial insurance producers from our family-owned agency letting me draw on a lot of experience beyond my own. And with new markets constantly emerging, there’s always something new to explore for your business.

Share with your community


Sign up for our Newsletter

Subscribe to our monthly newsletter on the latest industry updates, Rethink happenings, and resources galore.

Related Resources


As a BCBA working with different ABA therapy practices, I often see leaders stuck in...


About this Episode For Dr. Nick Green, BehaviorFit started as a dream and a blog....


About this Webinar An increasing number of neurodiverse individuals are entering adulthood without adequate preparation...