Security

Why Workers' Compensation Programs Are Becoming High-value Cyber Targets

By Data Breach Case Tracker 17 Dec, 2025 138
Why Workers' Compensation Programs are Becoming High-Value Cyber Targets

Corporate risk management is rapidly changing, and no area is more susceptible to this change than Employer Workers Compensation Programs. Most discussions associated with cybersecurity focus on financial transactions involving large volumes of customers (e.g., retail purchases) or access to bank accounts; however, cyber criminals now seem to be concentrating on insurance companies that provide specialized services to support the intersection between an employee's health and the employer's financial interests.

While third-party administrators are relied upon by employers to process sensitive claims, these administrators must have adequate network security in order for the employer to continue to have confidence in the administrator. The lack of security in this space became apparent when Cove Risk Services experienced a data breach that affected its internal network and resulted in exposure to the personal and health related data of every individual covered under a Workers Compensation Program administered by Cove Risk Services. The Cove Risk Services data breach demonstrates the motive of why Workers' Compensation data has become a target for highly sophisticated cybercriminals.

"Double Threat" Dataset

Workers’ compensation programs have become a prime target for data thieves because of the great amount of data that is collected. A workers’ compensation claim file contains a “Double Threat.” This is the collection of two types of sensitive information. Workers’ compensation files can contain both (PHI) and (PII). (PHI) stands for "Protected Health Information," and (PII) stands for "Personal Identifiable Information."

Each individual file or claim typically contains:

  • Social Security number (SSN) and Wage Statements (Payroll Records);
  • Detailed Medical History (Treatment Records) along with a report of any Injuries sustained in the workplace;
  • Banking account information related to paying the injured worker their benefits;
  • Confidential Legal Papers (e.g. medical excuse letters) from all providers related to the injury and the government-issued ID (state ID) of the injured worker;

(Medical information) stored on the Dark Web will sell for a much higher price than a credit card. Credit cards can be cancelled within minutes once the theft is discovered; however, a medical record and the associated Social Security number cannot be cancelled. The thief can continue to use this information for many years to commit (long-term) identity theft and/or (Insurance Fraud) and/or (Medical Extortion).

An Interrelated ecosystem

Modern day Risk Management relies heavily on various Service Providers working together. Companies that provide Insurance and those that choose to be Self Insured relies on Third Party Administrators (TPAs) to handle the majority of the work involved in Claims Management. It is through this hub of information sharing that TPAs collect all the necessary data provided by Employers, Medical Clinics and Legal Teams.

This central location of information creates a Concentration Risk for TPAs. Instead of having to hack into each Individual Small Business, a hacker only needs to locate one weakness within a TPA's Network in order to access thousands of Records of Policies. As TPAs continue to progress through Digital Transformation and automated processing of Claims, the Gear Surface of each TPA grows significantly and exponentially leading to an increase in Cyber Threats.

Fragmented Accountability and Old Legacy Systems

The continued existence of "Legacy Software" has also made the Sector a Target. Many Insurance and Risk Management Services utilize older, Proprietary systems that lack modern level of encryption and cannot support Multi-Factor Authentication (MFA). Because many TPAs connect to newer, Digital, Compliance Based Claimant Access Portals, the creation of Integration Gaps is created which leads to Cyber Criminals having quick access to Vulnerabilities.

Moreover, due to their long-term nature, workers' comp claims will generate archives that will be retained for many years (e.g., decades). Storing extensive amounts of data over time has created an environment in which the amount of private/sensitive data stored in those archives is so great that should there be a system breach the repercussions could be significant because it has the potential to contain an entire lifetime of private/sensitive data that may never have gone through the data minimization processes that are now standard in many industries. 

Conclusions

Employers and administrators must change how they think about data protection due to the changing nature of the cyber threats facing us now as compared to what they faced 10 years ago. Data protection is no longer simply a component of IT (i.e., 'the back office') but rather, it is a part of an overall risk management approach. As we have seen in recent incidents of breaches, failing to maintain security on a network is no longer just a technical failure but a serious threat to the financial and personal health of our workforces.