Posted on 
September 5, 2025

Cyber Insurance: The New Shadow Regulator In Healthcare Marketing

We’ve all heard why pixels are problematic in healthcare (read up here if you haven’t). But what’s new and surprising is that it’s not just regulators or journalists driving scrutiny anymore. 

Cyber insurers who protect organizations against financial losses caused by cyber incidents—such as data breaches, ransomware attacks, and violations of privacy laws—now play the role of “shadow regulator,” shaping whether healthcare organizations can get or keep coverage.

Together with Beckers, we recently hosted a panel featuring three leading experts in cyber insurance—Mallory Goodwin from Fenwick, Andrew Correll from Post-Bind Cyber, and Emily Davis from Willis—to find out what healthcare marketers need to know (and do) about this new development. 

Watch the recording below or keep scrolling to read the recap. 

If you don’t have 60 minutes to watch, here’s what you need to know:

Why Cyber Insurers Now Care About Your Pixels

When most people think about oversight in healthcare marketing, they think about regulators like HHS, the OCR, or state attorneys general. But a surprising new player has stepped into the arena: cyber insurers.

But as Freshpaint’s Ray Mina put it: “This isn’t about a regulator—it’s about cyber insurance brokers who may be impacting your ability to have coverage, or even driving up your premiums.”

Cyber insurers don’t write laws or issue fines. What they do control, however, is whether your organization can secure or renew coverage—and at what price. And lately, insurers are treating pixels and other tracking technologies as one of the most pressing risks in healthcare.

Why? Because insurers are the ones footing the bill when class actions, HIPAA violations, or state privacy lawsuits hit. Pixel-related cases have exploded in frequency, with more than 200 filed in recent years. Worse still, these aren’t minor losses. They’re what insurers call “limit losses”—claims so costly they max out policy limits, combining high frequency with high severity.

“These aren’t the kinds of losses insurers like,” says cyber insurance expert Andrew Correll, “They’re high frequency and high severity—class actions that can max out policy limits. The premiums insurers collect are a drop in the bucket compared to what these claims can cost.”

To protect themselves, insurers are taking on the role of shadow regulator. Here’s what that looks like in practice:

  • Site scans expose hidden trackers: Underwriters don’t just take your word for it on applications. “Pixels and other trackers don’t stay inside your four walls,” Andrew noted. “They communicate with outside parties like Meta or Google—and that traffic is detectable.”
  • Coverage exclusions are rising: Some carriers flatly refuse to cover organizations using pixels. Others apply strict sublimits or deny renewals. Emily Davis, a broker at Willis, shared that “questions about pixels are now becoming standard in applications, especially for healthcare. For some carriers, just using a tracker can mean an exclusion or even non-renewal.”
  • Premiums and terms hinge on marketing practices: Something as seemingly harmless as a retargeting pixel can now impact your organization’s bottom line.

The legal backdrop only sharpens insurer anxiety. 

As Mallory Goodwin, counsel at Fenwick, explained: “We’re seeing claims based on HIPAA, but also on wiretap acts, state privacy laws like the CCPA, and even the Video Privacy Protection Act. At the center of all of them is the same theme: invasion of privacy and lack of consent.”

The result? Even though insurers aren’t regulators in the traditional sense, their decisions now dictate what healthcare marketers can and can’t do. And if you want coverage, you have to play by their rules.

How Cyber Insurers Evaluate Risk and You Can Mitigate It

Cyber insurers aren’t just looking for pixels anymore—they’re scrutinizing how organizations understand and control their risk. At its core, underwriting boils down to exposures versus controls. The exposure is the potential financial loss tied to pixels; the controls are the safeguards an organization has in place.

“Underwriters want to know if you have your stuff together,” explained Andrew Correll. “Do you even know where your pixels are? Do you understand the exposure? And do you have proper controls in place to mitigate that risk?”

Applications that once asked vague questions about patient data now include explicit, pixel-specific question sets. 

Now carriers are asking:

  • What tracking technologies are in use?
  • Where are they deployed?
  • How do you obtain user consent?
  • Has your privacy notice been vetted by counsel?

Simply ticking “yes” on an application isn’t enough anymore. “We’re seeing pixel tracking questions become standard,” said Emily Davis of Willis Towers Watson. “And just acknowledging you use them will trigger deeper underwriting, follow-up questions, and sometimes exclusions or higher retentions.”

For organizations, this means staying insurable requires a deliberate, cross-functional effort:

  • Inventory all trackers: Marketing and IT teams must map every pixel and tag across sites, apps, and campaigns.
  • Strengthen consent practices: Cookie banners alone often fall short. Real consent requires clarity, affirmative choice, and updated privacy policies that reflect what’s actually happening.
  • Align teams: Marketing, legal, compliance, and risk management must present a united front. Inconsistencies between teams erode credibility with underwriters and can even justify claim denials later. As Emily warned, “If your application says one thing but a scan shows another, that’s a red flag that can hurt you at renewal—or in the middle of a claim.”
  • Work with knowledgeable brokers: Coverage terms vary widely across carriers, and skilled brokers can help negotiate carve-backs or avoid blanket exclusions.

“Ultimately, insurers want to know: if we write this risk, are we going to be dealing with a million-dollar class action?” said Mallory Goodwin, counsel at Fenwick. “If you can show you’ve mapped your trackers, updated your policies, and gained real consent, you’re in a much stronger position.”

The message is clear: knowing how insurers evaluate risk is the key to understanding why these steps aren’t optional. They’re now a prerequisite for coverage.

The Road Ahead: What to Expect and What to Do Now

Right now, insurers are playing it safe. The industry doesn’t yet have enough claims data to model pixel-related risks with confidence, so most carriers default to exclusions and strict underwriting.

“There’s been a recent shift toward more exclusionary language,” said Emily Davis. “Insurers simply don’t want to take on unknown exposure, so until they understand the losses better, we’re going to see them limiting coverage.”

But history suggests this won’t last forever. 

Cyber insurance has faced new threats before—ransomware, AI-driven attacks, state-sponsored cyberwarfare—and each time the pendulum swung. At first, carriers clamped down with hard exclusions. Later, as loss data accumulated and best practices emerged, they introduced more nuanced coverage.

“I’ll be definitive on this,” said Andrew Correll. “Yes, insurers will eventually become more flexible. That’s always the pattern. It just takes time—and in the meantime, the organizations that demonstrate strong controls will have the advantage.”

What does that mean for healthcare marketers right now? It means you can’t wait. Mapping your pixels, tightening your consent practices, and aligning across teams isn’t just about compliance—it’s about staying insurable in an environment where coverage can evaporate overnight.

As Mallory Goodwin summed it up: “If you can show you’ve put the right controls in place and haven’t faced claims, you’re far more likely to keep coverage—even if it comes with sublimits or carve-backs at first.”

Put the Right Controls In Place Today

This webinar was just the start. Risk & Exposure is a three-part series, and the next two installments will dive deeper into how healthcare organizations can manage this evolving landscape.

  • Register to attend the next two sessions in the series.
  • Reach out to Freshpaint to learn how we help healthcare organizations market compliantly—without putting coverage at risk.

Because in today’s healthcare marketing environment, the question isn’t just what can regulators stop you from doing? It’s also what will your insurer let you do?

Ronnie Higgins
Host of People of Healthcare Marketing
view All Posts
Featured Posts
HIPAA COMPLIANCE
Direct Response, Remarketing, and Programmatic Advertising: The HIPAA Pitfalls You Didn't Know
HIPAA COMPLIANCE
IP Addresses and HIPAA Compliance: Unpacking the Risks for Healthcare Websites
USE CASES
Don't Remove It! Make Google Analytics HIPAA Compliant Instead
HIPAA COMPLIANCE
Staying HIPAA-Compliant: How to Detect Web Tracking Risks on Your Website
HIPAA COMPLIANCE
A Privacy-First Framework for HIPAA Compliance: Managing Third-Party Tracking on Healthcare Websites
HIPAA COMPLIANCE
Cut the Jargon: A Look at the FTC-HHS Privacy Warning and What It Means For Your Healthcare Org
USE CASES
How To Make Facebook Ads HIPAA Compliant and Still Get Conversion Tracking
USE CASES
What HHS Has to Say About Tracking Technologies in Latest HIPAA Guidance
GROWTH & STARTUPS
Two Chairs Journey to a HIPAA Compliant Growth Stack
Stay Connected
Tweet this post: 
© 2025 Perfalytics, Inc.
Crafted in San Francisco