Privacy Breaches & Cyber Attacks: Real Healthcare Claim Scenarios

Actual and attempted breaches of the security measures protecting the computer networks of healthcare-related operations in the U.S. continue to make the news.  According to a recent article posted by CNBC, “Another Big Health Risk That Can Really Hurt You,” a staggering 95 million American patient records were exposed in 2015.  If each of those records was associated with a different American, that would mean that nearly 30% of us had our health information compromised last year.

A sizeable percentage of these compromised patient records were related to hacking incidents involving health plan operations Anthem, Premera Blue Cross and CareFirst BlueCross BlueShield – some of the largest companies in the healthcare space.  Yet, it is not just the largest of healthcare operations that are targeted by computer hackers.

That same article summarized responses to a survey conducted in August 2015 by cyber security expert KPMG Cyber, revealing that 81% of the 223 executives in charge of healthcare providers and health plans reported that their organizations were the target of at least one cyberattack in the previous two years.  The article goes on to explain that hackers are targeting healthcare operations of all sizes now, for two reasons:

1. There is more money to be made by selling people’s personal information than by simply selling credit card numbers.
2. It is relatively easy for hackers to crack the healthcare industry’s defenses.

Now, perhaps more than ever before, it is critical that your healthcare clients have the cyber liability insurance protection they need.

NAS Insurance Services a leading market in this space, has compiled recent claim scenarios and the costs associated with rectifying them (Source: NAS Claims Dept., 2013).  These examples demonstrate how cyber breaches can – and do – take place:

1. An insurance consultancy, not typically a covered entity for HIPAA-required notification, had a breach of secure private data because of a vulnerability on their web server. Much of the data on the server was unencrypted.  Forensic analysis was required to determine the extent of the breach, and the extent to which the information accessed was private. Legal counsel and IT security experts determined that notification was required, as the information exposed included Private Health Information (PHI). A call center for escalated inquiries was established and credit monitoring was offered to potentially affected parties. Although the breach lasted only a limited period of time, costs were significant because approximately 6,000 records were openly available on the Internet, and each record contained information on more than one potentially affected party.

• Total Breach Response Costs: $250,000

2. A physician suffered a burglary at his residence and his work laptop was stolen. The laptop had his entire 15-doctor medical group’s patient database on it, which contained

57,000 records. Unfortunately, the laptop was not encrypted.  Legal counsel was appointed to determine notification requirements and manage the response process. Counsel worked with the insured’s IT department to determine that there were 37,000 unique identities on the laptop.  The medical group was also required to publish a notice of the breach on their website and in the local media. Additionally, the group was required to notify the Office of Civil Rights of the breach, which led to a Department of Health and Human Services (DHHS) investigation. The Office of Civil Rights required a complete submission from the medical group outlining how they were in compliance with the various provisions of HIPAA. Counsel worked with the medical group to show proof of strong privacy controls and training procedures resulting in the DHHS closing its investigation.

• Estimated cost to respond to the breach (at $10 per record) – $370,000

3. A plastic surgeon posted unauthorized “before and after” photos of several patients on the practice’s website and failed to remove the meta tags on the pictures listing the patients’ first and last names. The issue was discovered when a patient performed a Google search on herself, and the explicit pictures showed up in the search.

There have been 15 invasion of privacy actions taken against the plastic surgeon to date, with several settling in the range of $150K per plaintiff.

• Additional legal expenses incurred: $50,000

Privacy breaches and cyber-attacks are no longer just a concern for Fortune 500 companies.  Small companies can prove to be even easier targets.  Healthcare providers are at an increased risk for higher costs associated with breaches, due to the massive amounts of information they store and have access to.  Don’t let your healthcare providers be caught off guard. Help them mitigate their risk with the appropriate cyber liability coverage.

Ethos Insights

1. Hackers, like the technologies they aim to plunder, get more sophisticated with every passing day. Covering the risks associated with breaches is a way for healthcare entities to stay one step ahead of the bad guys.
2. Cyberattacks happen in organizations of every shape and size. No system is immune.
3. The costs associated with covering cyber risks are a fraction of what it can take to clean up after a breach.