When most people in Singapore hear the word "clinic", they picture a GP around the corner. But clinics in Singapore cover a wide spectrum of practices: general practitioners, specialist outpatient clinics (cardiologists, orthopaedic surgeons, oncologists, neurologists, psychiatrists), dental and oral surgery practices, aesthetic medicine clinics, Traditional Chinese Medicine (TCM) practices, eye centres, and allied health providers such as physiotherapists, psychologists, and dietitians.
What every one of these has in common is this: they give clinical advice or perform procedures on patients, and they hold sensitive patient health data. Those two facts create two distinct but connected insurance exposures that most clinic owners manage separately, if they manage them at all.
What medical malpractice insurance covers
Medical malpractice insurance is the professional indemnity cover for healthcare providers. It responds when a patient makes a claim arising from a clinical error: a misdiagnosis, a wrong prescription, a procedure that causes harm the patient did not consent to, or advice that led to a delayed treatment decision with serious consequences.
The claim does not need to succeed for the costs to be real. Defending a malpractice claim, even one that is ultimately dismissed, involves legal fees, expert witnesses, and time taken away from running the clinic. In a small practice where the clinic director is also the sole practising doctor, a contested claim can affect operations for months.
Malpractice cover is typically written on a claims-made basis, which means the policy that responds is the one in force when the claim is made, not when the treatment was given. A patient treated in 2023 can file a claim in 2026. If the clinic changed insurer or let the policy lapse in between, and the new policy does not carry run-off protection for prior acts, the 2023 treatment may not be covered. This is one of the most common and most avoidable gaps in clinic insurance.
Why cyber has become a clinical risk, not just an IT risk
Most clinic owners think of cyber as an IT problem. Singapore clinics, particularly smaller practices, mostly do not have an IT department. They have a practice management software system, an electronic medical record (EMR) platform, and a cloud-based appointment and billing system. If any of these goes down, is compromised, or is inaccessible, the clinical risk is immediate.
Think about what a doctor cannot do when patient records are unavailable. They cannot verify a patient's known drug allergies before prescribing. They cannot review past test results before ordering new ones. They cannot check whether a patient is already on a medication that would interact with what they are about to prescribe. Every treatment decision made without that information is a clinical decision made with incomplete data.
A ransomware attack, which is when a criminal locks a clinic's computer systems and demands payment to restore access, does not need to steal any data to create a malpractice exposure. The inaccessibility of the records is itself the problem. And in Singapore, ransomware cases increased 21 per cent in 2024 according to the Cyber Security Agency of Singapore's Singapore Cyber Landscape 2024 report, with healthcare consistently among the sectors highlighted for their sensitivity of data.
The PDPA obligation that most clinics underestimate
Under the Personal Data Protection Act 2012 (PDPA), every organisation in Singapore that handles personal data must make reasonable security arrangements to protect it. For a clinic, personal data includes names, identification numbers, contact details, and all clinical information: diagnoses, prescriptions, treatment histories, mental health records, and test results.
This is some of the most sensitive personal data the PDPA recognises. A breach of patient records is not the same as a breach of customer email addresses. The harm to affected individuals can be significant: discrimination in employment, social stigma, and deeply personal information in the wrong hands.
When a breach affects 500 or more individuals, or is likely to cause significant harm to individuals, it becomes a notifiable breach. The clinic must report to the PDPC within three calendar days of assessing the breach as notifiable, and must notify affected patients. The PDPC has been active in enforcement against healthcare organisations, and the penalties reflect the seriousness with which patient data is treated.
Cyber insurance covers the costs of responding to exactly this situation: forensic investigation to establish what happened, legal advice on the notification obligation, the cost of notifying affected patients, and regulatory defence if the PDPC investigates. Without it, all of those costs land on the clinic at the same time as it is trying to manage the operational disruption of a compromised system.
The scenario where both policies are triggered by one event
Here is the scenario that illustrates why the two covers need to work together, not just exist alongside each other.
A dental clinic's practice management system is locked by ransomware on a Tuesday morning. Patient records are inaccessible. The clinic continues operating because patients have booked appointments and the dentist proceeds from memory and physical notes where available. A patient comes in for a procedure. A relevant allergy recorded in the system is not checked because the system is down. The patient has an adverse reaction.
The patient makes a malpractice claim. The dentist was unable to access the allergy record because of the ransomware attack. The malpractice insurer may argue that the clinical error was caused by a cyber event and that the malpractice policy does not cover cyber-related losses. The cyber insurer covers the IT response costs but may argue that the patient's clinical claim is a professional liability matter, not a data breach.
If the two policies were placed without awareness of each other, each one may contain exclusions that point the patient's claim to the other. The clinic is left navigating that gap at the worst possible moment, while also managing an operational crisis and a distressed patient.
A coordinated placement, where both policies are reviewed together with their exclusions checked against each other, addresses this before it becomes a claims problem.
The MOH licensing dimension
Clinics in Singapore operate under licences granted by the Ministry of Health (MOH) under the Private Hospitals and Medical Clinics Act (PHMCA). The clinic director who holds the licence carries personal responsibility for the clinical and operational standards of the practice.
A governance failure that results in a serious patient harm claim or a PDPC enforcement action is not just a business risk. It is a personal professional risk that can affect the director's licence to practise. The personal dimension of clinic ownership is different from running a general SME, and the insurance programme needs to reflect that. Cover that responds only to business-level claims and not to the personal professional liability of the clinic director may leave the most important exposure unaddressed.
What to check before the next renewal
For any clinic owner reviewing their current insurance arrangements, here are the questions worth asking.
On the malpractice side: Does the policy carry run-off protection for claims arising from treatment given before the policy period? If you change insurer at renewal, will claims arising from prior periods be covered? What is the definition of a covered medical incident, and does it extend to all the clinical activities your practice actually performs?
On the cyber side: Does the policy cover ransomware and the business interruption caused by system inaccessibility, not just data theft? Does it cover contingent business interruption, meaning lost revenue from the clinic being unable to operate normally while systems are restored? Does it cover the PDPA notification costs and regulatory defence if the PDPC investigates?
Across both: Are there exclusions in the malpractice policy for cyber-related events, and exclusions in the cyber policy for professional liability? If so, how are they defined, and do they create a gap for the scenario where a cyber event contributes to a clinical error?
You can read more about how cyber insurance works for Singapore businesses in Cyber Insurance in Singapore: It Is Not Just for Hackers, and about our professional indemnity cover and cyber insurance on the products page.
If you would like to review how your clinic's malpractice and cyber covers sit together, and whether the wordings are coordinated in the way they need to be, we would be glad to work through it with you.
This article provides general information only. It is not insurance advice. Policy availability, terms, conditions, and exclusions vary by insurer and product, and cover is subject to the full policy wording. Please contact TZY CO for advice on your specific situation.