For businesses and health-care institutions, the threat of cyber fraud is on the rise, unleashing fierce competition among law firms and consultants seeking to advise them.
Medical records are especially ripe targets because fraudsters can milk the full value of a health-insurance policy.
But, for all the high-tech and legal firepower available, some experts say the best protection may be better training of employees.
As the threat rises, so have the ranks of lawyers making it a specialty. Most large firms have practice groups devoted to data security, and so do many smaller ones, fueling the competition.
"It has grown exponentially in the past five years, and the landscape has become quite competitive," said Scott Vernick, a partner at Fox Rothschild who focuses on privacy, data security, and litigation. "When I started doing this 10 years ago, I had trouble convincing people that this was something to pay attention to."
"Today, any self-respecting firm has a group."
A series of high-profile data breaches - notably the huge loss of records by Target and the attack by North Korean hackers on Sony, exposing sensitive internal emails - have raised awareness. A total of 47 states, including Pennsylvania and New Jersey, have passed laws requiring that customers be notified when a breach has occurred and setting standards to protect data.
It's easy to see why. California, with the nation's toughest data-security statutes, says that just in that state, about 49 million digital records have been improperly accessed or disclosed since 2012.
And the pace seems to be accelerating. Nearly half those data breaches, about 24 million records, occurred in 2015, according to state Attorney General Kamala Harris.
For any entity that stores confidential customer data, the cost of a breach can be enormous. Jordan Rand, a lawyer at Center City's Dilworth Paxson who focuses on data breaches and related insurance disputes, estimates that companies pay out on average $300 for every record compromised. That's the cost of detection, notification of consumers, restoration of records, legal representation, and other actions.
That high cost has spawned a new market in insurance coverage for companies looking to protect themselves.
Rand works with Reclamere, a firm near State College, Pa., that helps companies protect their computer systems from breaches and gives assistance if hackers have gained access.
CEO Angie Singer Keating said she often focused on helping health-care institutions secure sensitive patient data. Reclamere also works with such law firms as Dilworth when a data breach leads to litigation.
Health-care records are particularly vulnerable because hospitals, physician practice groups, and other providers are not as far along as financial-services companies in securing data and because health-care records are so valuable, experts say. A typical patient file might include not only Social Security numbers but credit-card and health-insurance information, along with confidential medical records.
"Once I have your medical identity, I can do almost anything," Keating said. "I can get prescription drugs in your name, if I am part of a fraudulent Medicare or Medicaid scheme. I can submit fraudulent [health care] claims, and I can sell your identity."
For patients, the consequences can be catastrophic. Fraudsters have used stolen health-insurance policies to pile on charges up to their lifetime caps.
Meanwhile, health records can be corrupted with the health information of the cyber thief, potentially endangering the real policyholder.
Breaches often involve sophisticated hacking techniques that, because they are ever changing, are hard to stop. But Sandra Jeskie, a partner at Duane Morris, who focuses on litigation involving disputes over software and data breaches, says companies also are vulnerable to low-tech fraud.
Typical are computer criminals posing as bank executives or company leaders asking lower-level employees for sensitive data, such as credit card numbers.
All too often, she says, employees with legitimate access to the data are too willing to turn it over.
Many attacks start with phone calls. Employees can learn to report red flags, follow procedures, and avoid opening attachments that can introduce malware.
"A lot of protection is actually training," said Jeskie, who worked as a computer scientist before obtaining her law degree. "It's not just a matter of throwing money at a firewall."