Does Your Healthcare Facility’s Insurance Program Protect Against Loss of Private Information

By Steven Brown, Vice President

Few CEOs, CFOs or risk managers are able to appropriately respond to this question from their Board of Directors unless the facility has previously suffered such a loss. While we have all heard the news stories of large banks, credit card companies, or credit agencies that have had breaches of their security affecting hundreds of thousands of customers. Similar breaches occur regularly at healthcare facilities across the nation. Obviously, sensitive financial information of patients and/or employees is at risk but a healthcare facility has the additional exposure associated with maintaining the health record confidentiality of its patients.

While there have been many incidents that involved larger numbers of lost records, here are a few recent incidents involving healthcare facilities that were made public:¹

• 01/25/2010: University Medical Center, Las Vegas, NV: For more than three months, someone at University Medical Center illegally leaked the personal information of traffic accident victims — a breach of Social Security numbers, birth dates, and more – that only stopped when the Las Vegas Sun contacted the hospital about it.
• 07/16/2009: Moore’s Cancer Center, San Diego, CA: A hacker breached the center’s computers and gained access to patients’ personal information. It is believed that 30,000 personal records were affected.
• 06/12/2009: Oregon Health & Science University, Portland, OR: A physician’s laptop was stolen from a car parked at the doctor’s Washington County home. Patient names, treatment dates, short medical treatment summaries, and medical record numbers were stored on the computer. There were no home addresses, billing information or Social Security numbers stored on the laptop. While not known for certain, it is believed that 1,000 records may have been compromised.
• 03/06/2008, Cascade Healthcare Community, Princeville, OR: A computer virus may have exposed to outside people the names, credit card numbers, dates of birth, and home addresses of individuals who donated to Cascade Healthcare Community. 11,500 records were affected.

As seen above, many losses are due to persons outside the facility, but as awareness and security procedures are enhanced, a majority of these types of events now stem from insider negligence. In 2008, more than 88% of all in incidents involved negligence of insiders.

For those facilities that are using electronic medical records or are in the process of working towards that standard, the exposure to security threats and data loss becomes greater. Currently, at least 47 states have enacted laws requiring notification of security breaches involving personal information². In addition to state-specific breach laws, healthcare facilities are affected by the following legislation:

• Health Information and Portability Accountability Act (HIPAA).
• Fair and Accurate Credit of Transactions Act “Red Flag Rules” (FACTA).
• Fair Trade Commission’s Disposal RuleCalifornia’s Online Privacy Protection Act (OPPA).

OPPA pertains to commercial websites that collect personal identification information from California residents that visit their website³. The act requires websites to contain an easily located link to their privacy policy and the required contents of such policy. Any website that is accessible by a California resident is subject to this Act’s requirements.

Despite all of the statutory requirements, the single most important reason for healthcare institutions to maintain security and protect confidential information may be their reputations. According to the Ponemon Institute’s most recent study, customer loyalty is a particular challenge to healthcare institutions with an average reduction in their businesses of 6.5% following a publicly disclosed data breach.⁴

What are the costs associated with the loss of personal and confidential information? According to the Ponemon Institute’s fourth annual U.S. Cost of a Data Breach Study, the average cost per lost record was $202 in 2008⁵. Using this metric, a facility’s loss of 5,000 records will result in an average total cost in excess of $1 million.

Cleary, the threats to security and privacy of healthcare facilities come from many sources, which leads us to the initial question, does your insurance program provide the necessary protection for these types of incidents? General Liability insurance, Directors & Officers Liability insurance, and Crime insurance policies are three potential coverage sources. With general liability policies, while invasion of privacy may be covered, unauthorized disclosures of information via hacking, a stolen computer, or lost media may not be covered since it does not involve intentional disclosure by the insured⁶. Most GL policies will exclude loss of data, while many can be amended to provide for loss of data of others. To be covered, however, the loss must involve an accident resulting in damage to tangible property and this does not occur in losses affecting personal information.

Crime policies generally provide coverage for theft of tangible property. While some can be endorsed to include theft of the insured’s information, crime policies are property policies so they will not respond to lawsuits from third parties brought against the insured as a result of lost or stolen data. While Directors & Officers policies may provide coverage for third-party lawsuits filed due to the release of private information, they do not provide any of the first party costs to a facility such as hiring IT experts, enhancing security measures, recreating lost data, recovering loss income due to the breach of security, notification costs, credit monitoring expenses, or meeting the demands of extortionists. To address these large gaps in coverage, the insurance industry has created a newer coverage now generically termed Cyber Risk Liability insurance.

Cyber Risk Liability insurance is specifically designed to respond to loss of security to an insured’s data systems and losses of private information that may occur. The coverage began to emerge about five years ago and is now offered by numerous insurers for healthcare institutions. While many policies contain similar provisions, cyber risk liability is perhaps the least standardized segment of property and casualty insurance. Similar coverages can be purchased from most cyber risk liability insurers but there is no standard for built-in coverages in a cyber risk liability policy, as one typically finds with a general liability policy or a directors & officers liability policy. Typical coverages include, but are not limited to, the following:

• Privacy Liability Coverage: covers liability and defense expenses arising from the healthcare facility’s failure to protect personal information of its clients and its employees. This coverage should apply regardless of the format in which the information is stored, whether it is on a server, a desktop, laptop, or jump drive.
• Network Security Liability: covers liability and defense expenses arising from the failure of the insured’s network security. This includes unauthorized access, denial of service attacks, or transmission of malicious codes.
• Privacy Liability Coverage: covers liability and defense expenses arising from the healthcare facility’s failure to protect personal information of its clients and its employees. This coverage should apply regardless of the format in which the information is stored, whether it is on a server, a desktop, laptop, or jump drive.
• Network Security Liability: covers liability and defense expenses arising from the failure of the insured’s network security. This includes unauthorized access, denial of service attacks, or transmission of malicious codes.
• Internet Media Liability: provides for liability and defense expenses arising out of an insured’s website. It provides for infringement of copyright or trademark, invasion of privacy, libel, slander, plagiarism, or negligence arising from the website content.
• Cyber Extortion: Provides for extortion payments and expenses related to threats of system disruption or a release of information.
• Electronic Data Loss: Provides for the costs associated in recreating data that is lost or damaged.
• Business Interruption: Pays for the loss of net income due to a privacy or network security event.
• Privacy Regulatory Proceedings Expense: Provides defense expenses of a proceeding or action brought by a privacy regulator.
• Crisis Management / Public Relations Fund: These funds are reserved for the costs associated with notifying customers of breaches, monitoring their credit reports, and dealing with the public relations challenges.
• Risk Management Services: Many insurers will provide access to web-based loss prevention and technical resources to help policyholders manage their privacy and network security risks at no additional charge.

Even for core coverages such as Network Security and Privacy Liability, each insurer’s insuring agreement may be substantially different than that of another insurer. Your insurance broker must be able to explain the differences between the insuring forms. Furthermore, do not assume that your insurance broker knows what cyber risk liability coverage endorsements your facility requires. While some of the main coverages are obviously required at all facilities, there are many coverage options that may or may not be appropriate for your facility. Discuss your concerns with your broker so that, with his or her assistance, you can select the coverages and the limits to be included in your facility’s policy.

Cyber risk liability underwriters will evaluate your facility’s exposure to loss. This will depend in part on the sophistication of the facility’s IT department, the security provisions utilized by the facility’s network, the number of records stored, the manner in which the information is maintained, type of facility website, and history of losses. A healthcare facility’s IT Department and/or its independent consultants will be integrally involved in the completion of the application required to apply for Cyber Risk Liability insurance. Often a risk management phone call with the insured is a requirement prior to the insurer offering coverage. Pricing can vary significantly when comparing seemingly comparable coverages; therefore, it is advisable to obtain multiple quotes from financially robust insurers. Key differentiating coverage components include the following:

• Coverage that includes information lost by insured’s independent contractors.
• Coverage for mental anguish without accompanying bodily injury.
• Liability coverage pertaining to all privacy laws rather than just privacy breach notice laws, even if not yet written.
• Option to elect to purchase extortion and other first party coverages.
• Significant limits for notification and credit monitoring expenses.
• Liability for punitive damages, where allowable.
• Coverage for all forms of media, such as flash drives, telephones, and personal digital assistants (PDAs).
• Coverage for trade secrets released.
• No broad exclusions for failure to properly maintain network security.
• Most insurers require retentions but deductibles may be available.
• Promotional expenses that may not be related to a data theft.
• Coverage for regulatory fines.
• IT support and consultation in the event of a known privacy or security threat.

Senior management must work with its IT Department to evaluate the facility’s exposure to these types of losses, including the threat that a rogue employee, hacker, or dumpster diver could pose to patient, employee, and hospital data. Discuss the issues with the independent contractors and vendors that interact with the facility to provide data management and processing capabilities. Inquire as to what these firms are doing to protect your facility and determine if they too are properly insured, as these types of losses have occurred to at least one data storage firm as well. In fact, while privacy and security losses are less common than general liability, professional liability, and even directors & officers liability claims, the magnitude of loss potential to healthcare facilities remains severe. While a comprehensive approach to risk management is paramount, providing a funding mechanism for the unforeseen, catastrophic losses is prudent for any size healthcare facility.

¹http://www.privacyrights.org/ar/ChronDataBreaches.htm#CP

²http://www.ncsl.org/IssuesResearch/TelecommunicationsInformationTechnology/SecurityBreachNotificationLaws/tabid/13489/Default.aspx

³http://www.rcmd.com/cs/news/white_papers/Cyber_Risk:_What_does_it_mean_to_you?

⁴http://www.pgp.com/insight/newsroom/press_releases/2008_annual_study_cost_of_data_breach

⁵http://www.pgp.com/insight/newsroom/press_releases/2008_annual_study_cost_of_data_breach

⁶Journal of Healthcare Risk Management, Volume 28, Number 4, page 23

Return to Articles index