Understanding. your Cyber Liability coverage

Transcription

1 Understanding your Cyber Liability coverage

2 TEXAS MEDICAL LIABILITY TRUST 901 S. Mopac Expressway Barton Oaks Plaza V, Suite 500 Austin, TX P.O. Box Austin, TX Fax: The only medical professional liability insurance provider created and exclusively endorsed by the Texas Medical Association. Published 2013 Understanding your cyber liability coverage is published by Texas Medical Liability Trust as an informational and educational service to TMLT policyholders. The information and opinions in this publication should not be used or referred to as primary legal sources or construed as establishing medical standards of care for the purposes of litigation, including expert testimony. The standard of care is dependent upon the particular facts and circumstances of each individual case and no generalizations can be made that would apply to all cases. The information in this publication is not a binding statement of coverage. It does not amend, vary, extend, or waive any of the terms, agreements, conditions, definitions, and/or exclusions in TMLT s policy or Cyber Liability Endorsement. The information presented should be used only as a resource, selected and adapted with the advice of your attorney. It is distributed with the understanding that neither Texas Medical Liability Trust nor Texas Medical Insurance Company is engaged in rendering legal services. Copyright 2013 TMLT

3 Table of Contents Preface... IV Cyber liability coverage...1 Coverage conditions and caveats... 2 Legal information... 3 Questions to consider... 6 Case study... 7 Vulnerabilities and exposures and claim scenario... 8

4 Preface IV This publication has been created for physicians and entities to explain some of the risks of privacy-related exposures that can result from: lost laptops; theft of hardware or data; improper disposal of medical records; hacking or virus attacks; rogue employees; cyber extortion; or cyber terrorism. Physicians hold sensitive patient and employee information, including: medical records; social security information; and billing information, including credit cards, home addresses, work addresses, and phone numbers. Cyber liability has become a huge exposure in the U.S.: In 2011 the FTC received 279,156 complaints of identity theft, making it their number one complaint. Panda Labs, an antivirus software vendor, reported that there were 60,000 strains of malware in existence in In 2010, FBI s International Crime Complaint Center (IC3) received the second-highest number of identity theft complaints since its inception. IC3 also reached a major milestone this year when it received its two millionth complaint. On average, IC3 receives and processes 25,000 complaints per month. The IC3 has seen substantial growth in complaints, referrals, and dollar loss claims since Texas is third in cybercrime complaints (7.3%) in the U.S. (IC3 study). Texas is fourth for cybercrime perpetrators (6.9%) in the U.S. (IC3 study). The average privacy breach costs $282 per record (Ponemon Institute 2011 Benchmark Study on Patient Privacy and Data Security). An increase in the frequency of large-scale health care related breaches has raised awareness of cyber liability. Health care organizations have experienced devastating breaches: HealthNet 1.7 million records Eisenhower Medical Center 500,000 records New York City Health and Hospitals 1.7 million records

5 Cyber liability coverage Because of the potential for high costs from a cyber-related loss, TMLT has added a cyber liability endorsement to all policies at no additional cost. This endorsement provides coverage for network security and privacyrelated exposures faced by medical professionals. Cyber liability policy limits are $50,000 per claim subject to a $50,000 aggregate per policy period and there is no deductible. If the policy is on a group policy form, the policy aggregate for all policyholders is $250,000. Please refer to your endorsement. Higher limits of $1 million are available at a discounted cost, should a policyholder request them. The endorsement provides payments directly to you (direct loss to your computer systems that suffer damage as a result of a data breach) and certain payments to others (claims made against you as a result of a privacy breach): Network security and privacy insurance covers third party claims arising out of the failure to prevent unauthorized access of the use of private information, including identity theft and breach of privacy for both on-line and off-line information. For example, the inadvertent transmission of malicious code or a virus to a third party s computer system or potential lawsuits from credit card or health insurance companies. Regulatory fines and penalties insurance covers regulatory investigations, fines, and penalties imposed as a result of a violation of federal or state privacy statutes. Examples include HIPAA and HITECH violations, or a state attorney general or Federal Trade Commission enforcement action regarding the breach of security and privacy of information. Privacy breach response costs, patient notification expenses, and patient support and credit monitoring costs insurance covers payment of all reasonable and necessary notification costs in notifying third parties (e.g., patients) whose private medical information has been breached or compromised. This coverage includes legal fees, notification costs, public relations expenses, IT forensic costs, as well as call center, advertising, and postage expenses. The costs for credit monitoring services are limited to a period of 12 months from the date of enrollment in such services. Network asset protection covers all reasonable and necessary sums required to recover and/or replace data that is compromised, damaged, lost, erased, or corrupted. Coverage also includes business interruption and extra expense coverage for income loss as a result of the total or partial interruption of the policyholder s computer system. 1

6 Effective January 1, 2013 all TMLT policies will be expanded to cover: Multimedia insurance provides coverage for both on-line and off-line media including claims alleging copyright/trademark infringement, libel/ slander, advertising injuries and plagiarism. Cyber extortion pays for a cyber extortion threat. This would involve a party making a threat or demand for cyber extortion monies or else they will: êê release confidential information of a third party; êê introduce malicious code; êê corrupt, damage or destroy the policyholder s system; êê restrict or hinder access to system including denial of service attack; or êê electronically communicate with policyholder s patients or customers claiming to be the policyholder in order to obtain personal confidential information. This coverage pays cyber extortion expenses, but such expenses can only be incurred with the Trust s consent. The coverage also would pay cyber extortion monies (funds paid with Trust s consent to the extorters to terminate the threat). Cyber terrorism coverage pays for acts of terrorism, meaning a use of force or violence for political, religious, ideological, or similar purposes, including the intent to influence a government or put the public in fear. This coverage pays for income loss, interruption expenses and/or special expenses. Coverage conditions and caveats TMLT s cyber liability coverage is on a claims-made policy. Your cyber liability coverage is offered in addition to your medical professional liability (MPL) policy limits and there are no binding arbitration or hammer clauses, unlike some of our competitors coverage forms. TMLT will pay on behalf of the policyholder except under Regulatory Fines and Penalties, which will be reimbursed. Defense costs are paid within the limits of insurance, unlike your TMLT MPL policy, where defense costs are paid outside the limits of insurance. The insurance benefits provided under the Network Security and Privacy Coverage; Patient Notification and Credit Monitoring Costs Coverage; and Regulatory Fines and Penalties Coverage are on a third-party basis. The benefits under the Data Recovery Costs Coverage are on a first-party basis and require TMLT s prior written consent for payment. 2

7 In the event of any cyber claim, you must notify TMLT within 60 days from the date a claim is first made to receive any benefit under this endorsement. Legal information Signed into law in 2011, the Texas privacy law, known as HB 300, expands cyber privacy laws beyond the scope of current federals laws. HB 300 does the following: expands HIPAA requirements on written authorization to include release of sensitive information; applies stronger enforcement and penalties; broadens the definition of breach ; expands training requirements; expands the U.S. Attorney General s role in enforcing privacy; expands patient rights to receive health information electronically; and prohibits the sale of personal health information with some exceptions. During testimony to the Senate Health and Human Services Committee, Matthew Murray, MD gave the TMA s interpretation of HB 300: Rules regarding the handling, including transmission, of medical information should apply to any entity in possession of or with access to such information regardless of the form in which the information exists or is transmitted (e.g., paper, electronic). Any penalties for the misuse of such information also shall apply to any entity violating privacy laws or regulations. Medical information should not be used for nonmedical purposes without the informed and noncoerced consent of the individual involved. The increasing horizontal and vertical integration of the financial services sector of the economy may provide nonmedical entities access to individual s medical records. Consent for the use or release of medical information should meet specific standards. Individuals, and in some cases treating health care professionals, should be required to provide informed consent regarding the use or transfer of medical information. Research activities should be protected but not at the expense of individual privacy. Information should be required to be de-identified in an acceptable manner to support legitimate clinical research without unnecessary risk to the patient s privacy. Penalties should be severe and readily enforceable. Databases are extremely valuable in today s marketplace. Given the potential financial 3

8 gains from selling medical information, penalties must be severe to deter these lucrative activities. There should be clear enforcement directives and the ability of an individual to seek redress in the courts should enforcement measures prove inadequate. HITECH was signed into law in 2009 and expands privacy and security measures in transmission of health care data. It expanded HIPAA laws that were already in place. HIPAA is a federal law that governs how health care providers can use, collect, and disclose private information. It requires providers and entities to implement appropriate administrative, technical, and physical safeguards to protect private information. The following comes from the Health and Human Services (HHS) website: Breach Notification Requirements Following the discovery of a breach of unsecured protected health information, covered entities must provide notification of the breach to affected individuals, the Secretary, and, in certain cases, to the media. In the case of a breach of unsecured protected health information at or by a business associate of a covered entity, the business associate must notify the covered entity of the breach. These breach notification requirements for covered entities and business associates are set forth at 45 CFR sections Individual Notice Covered entities must notify affected individuals of a breach of unsecured protected health information without unreasonable delay and in no case later than 60 calendar days following discovery of the breach. Covered entities must provide written notification by first-class mail at the last known address of the individual or, if the individual agrees to electronic notice, by . If the covered entity knows the individual is deceased and has the address of the next of kin or personal representative of the individual, then the covered entity must provide written notification to the next of kin or personal representative. Individual notification may be provided in one or more mailings as information becomes available regarding the breach. If the covered entity has insufficient or out-of-date contact information for 10 or more individuals, the covered entity must provide substitute notice in the form of either a conspicuous posting for 90 days on the home page of its web site or conspicuous notice in major print or broadcast media in geographic areas where the affected individuals likely reside, and include a toll-free phone number that remains active for at least 90 days where an individual can learn whether the individual s information may be included in the breach. In cases in which the covered entity has insufficient or outof-date contact information for fewer than 10 individuals, the covered 4

9 entity may provide substitute notice by an alternative form of written notice, telephone, or other means. Whatever the method of delivery, the notification must include, to the extent possible: (1) a brief description of what happened, including the date of the breach and the date of discovery of the breach, if known; (2) a description of the types of unsecured protected health information involved in the breach; (3) any steps individuals should take to protect themselves from potential harm resulting from the breach; (4) a brief description of what the covered entity is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches; and (5) contact information for individuals to ask questions or learn additional information (45 CFR section ). Media Notice For breaches involving more than 500 residents of a state or jurisdiction, a covered entity must notify prominent media outlets serving the state or jurisdiction. Like individual notice, this media notification must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach, as well as include the same information as that required for the individual notice (45 CFR section ). Notice to the Secretary In addition to notifying affected individuals and the media (where appropriate), a covered entity must notify the Secretary of breaches of unsecured protected health information. If a breach involves 500 or more individuals, a covered entity must notify the Secretary at the same time the affected individuals are notified of the breach. A covered entity must also notify the Secretary of breaches involving fewer than 500 individuals, but it may submit reports of such breaches on an annual basis. Reports of breaches involving fewer than 500 individuals are due to the Secretary no later than 60 days after the end of the calendar year in which the breaches occurred (45 CFR section ). Covered entities must notify the Secretary by filling out and electronically submitting a breach report form on the OCR web site at gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction. html. Notification by a Business Associate If a breach of unsecured protected health information occurs at or by a business associate, the business associate must notify the covered entity following the discovery of the breach so that the covered entity can notify the affected individuals, the Secretary, and the media, if appropriate, of the breach (or delegate the notification responsibilities to the business associate). A business associate must provide notice to the covered entity without unreasonable delay and no later than 60 calendar days from the 5

10 discovery of the breach. To the extent possible, the business associate must identify each individual affected by the breach, as well as include any other available information that the covered entity is required to include in its notification to individuals (45 CFR section ). Questions to consider 6 How are you currently safeguarding electronic patient data? Are you using encryption or other secure methods of preventing access to patient s protected health information? Do you keep your anti-virus and anti-spyware software active and up to date at all times? Do you use hardware and/or software firewalls to block outside access to your computer systems and unauthorized outgoing activity? Do you currently have any coverage for cyber liability losses and, if so, how comprehensive is the policy? Do you understand your responsibility in notifying your patients if there is a cyber-related security breach resulting in invasion of their privacy? Will a data breach impact your practice and your revenue? Have you considered the costs of lost production, lost time by employees working to fix the problem, and the overall loss of efficiency and potential reputational loss from a cyber claim? Do you have coverage for electrical damage, mechanical breakdown, and off-premises utility interruption (for example, due to power failure from blackouts and brownouts) or at least an uninterruptible power supply to continue operation of your computer system(s)? How often do you complete full backups of your electronic records? Are your data backups stored away from your premises? Do you have a cyber loss prevention and disaster protection plan established? The benefits of a formal plan include: avoidance or prevention of cyber losses and resulting computer processing interruptions; preservation and protection of your electronic data; continuity of employment for your employees with minimal or no loss of productivity; fulfillment of service commitments to your patients; uninterrupted collection of your account receivables; security of your patient s personal health information and sensitive personal information; and

11 compliance with state and federal laws. The key: implement proper privacy and security procedures beforehand. It is easier to prevent a data breach before it occurs than clean it up afterward. Case Study A group practice in an urban area was burglarized and many of the practice s computers were stolen. Among the items stolen was the server, which contained the practice management database. The database contained all patient demographic files, including patient names, home addresses, dates of birth, social security numbers, and diagnoses. Access to the practice management database was protected by password, but this level of security could potentially be circumvented. The practice sent letters to their patients notifying them of the breach. They also notified the Office for Civil Rights (OCR) of the burglary and breach of protected health information (PHI). According to the OCR, the burglary and breach of PHI could be a violation of the privacy rule, specifically impermissible disclosure and safeguarding of PHI and the security rule s safeguards. Risk management considerations HIPAA and HITECH require physicians to employ a series of administrative, technical, and physical safeguards to ensure the security of PHI. Additionally, physicians are required to notify patients if there are breaches of security involving unsecured patient information. Notification must occur no more than 60 days after the breach is discovered. Notification must be in writing by mail (or by phone in urgent cases) or electronic means if the patient has consented to electronic notification. If the breach involves more than 500 patients, local media outlets must be notified. In addition, the HHS secretary must be notified immediately for breaches involving more than 500 patients and annually for others. According to the American Medical Association, one critical exception to the breach notification requirement if the breach involved PHI that was secured (encrypted), then notification is not required. This rule applies to two categories of secured PHI: electronic PHI that meets specific standards of encryption and PHI stored or recorded on media that has been destroyed. This rule provides a significant incentive for physicians to encrypt PHI. Following the burglary, the practice took steps to provide better security for patient personal information. They no longer maintain personal information on a server located in the office. All personal information is stored on an off-site server, with access only allowed through a secured, 7

12 encrypted virtual private network. The practice also improved physical security measures in the office. Vulnerabilities and exposures 8 The need to protect the privacy of patients from hackers and cyber-thieves mandates the need for adequate security. Doctors who fail to adequately protect their patients right to privacy from unauthorized use may be held legally responsible and be in violation of state and federal regulations. Doctors may also fail to follow state or federal notification requirements in the event of a data breach. It is imperative that physicians and affiliated organizations know what laws require when a data breach occurs and that employees follow these rules. The following scenarios highlight security and unauthorized access exposures. It is important to note the differences between first and third party risks. First party risks include damage to your hardware, software, and exposure to your data. Third party risks are exposures to your patients data. Claim Scenario A laptop with unencrypted data containing patient files was stolen from a doctor s unattended vehicle. The data included employer s network passwords and 550 patient records consisting of Protected Health Information (PHI) and Sensitive Personal Information (SPI). The doctor immediately called her medical group s practice manager to report the loss. The practice manager had never developed any structured employee training on privacy and security compliance for employees. The thief was able to uncover the network passwords and all of the confidential patient information. He also tried to hack into the practice s network server and, in the process, corrupted their computer system, shutting it down for three days. The practice learned the thief was trying to sell their medical identification information for $50 per patient record. Predictably, the practice received a demand threatening to disseminate the patients confidential information to other criminals unless the practice paid them $20,000 within the next five days. The doctor hired an attorney to assess the situation and determine the applicable state and federal notification requirements and to manage the response process. A vendor was hired to handle the notification process to the affected patients at a cost of $100 per patient record contact. This included credit monitoring for those who requested it. The physician found that 20 patients were so upset over the practice s

13 weak privacy and security protocols they hired an attorney who demanded $200,000 for the breach of his clients confidentiality and right to privacy. After investigating the incident, the practice sent written notification to the affected patients; put a notice of the breach on their web site and on HHS.gov (required if the breach affects more than 500 individuals); and made local media aware of the breach. Additionally, the practice notified the Texas Attorney General s Office and the Office of Civil Rights (OCR), which subsequently led to two separate investigations and requests for extensive information. When the OCR requested a copy of the practice s Risk Analysis and Management Plan and Privacy and Security Policies and Procedures Manual to ensure compliance with HIPAA, the physician reported no such manuals existed. Because the practice was a Covered Entity, the Texas Attorney General s Office decided to file a civil lawsuit for HIPAA violations under HITECH, as well as patient privacy violations under the Texas Identity Theft Enforcement and Protection Act (ITEP) and House Bill 300. The Texas Attorney General sought civil fines and penalties and the recovery of attorneys fees and costs totaling $100,000. Because this was the medical practice s first public breach, their defense counsel was able to negotiate a compromise settlement with the Attorney General for reduced fines and penalties of $5,000. After considerable discussions, counsel was also able to settle the patients confidentiality and right to privacy claims for $10,000. Unfortunately, the practice had to also pay the identity-theft ring their extortion demand of $20,000 to terminate the imminent release of their patient records. Legal Expenses/Fees: $17,000 Notification Vendor Expenses: $38,000 Regulatory Penalty Settlement: $5,000 Data Recovery Costs: $5,000 Third Party Compensation: $10,000 Cyber Extortion Payment: $20,000 Total Expenses: $95,000 How would TMLT s Cyber Liability Coverage respond? Based on the claim scenario, this matter would have triggered potential coverage under five distinct Coverage Agreements: Liability Coverage Privacy Regulatory Defense and Penalty Coverage would pay for the fines and penalties imposed by the Texas Attorney General. 9

14 Security & Privacy Liability Coverage would pay for the patients claims for breach of confidentiality and right to privacy that arose out of the practice s failure to prevent unauthorized access to their PHI. Direct Payments Coverage Network Asset Protection Coverage would pay the expenses incurred by the practice to recover or to restore their lost and corrupted electronic data caused by the thief s hacking attack, including the practice s income loss, interruption expenses, and special expenses to continue normal operations and to minimize the suspension of their practice. Privacy Breach Response Costs, Patient Notification Expenses, and Credit Monitoring Expenses would cover the advertising and postage costs to notify patients whose ephi had been breached, including up to one year of free credit monitoring, and the expenses to employ a public relations consultant to mitigate the harm to the practice s reputation. Cyber Extortion Coverage would pay for extortion expenses and the payment of funds (subject to TMLT s consent) for the purposes of terminating a cyber extortion threat. Consequently, TMLT would provide coverage for this entire matter up to $50,000 per claim up to a maximum of $50,000 per policy period. (NOTE: Increased limits, at a discounted cost, are available up to $1,000,000. For more information about your cyber liability coverage, please call your TMLT Underwriter or Sales Representative. Thank you for choosing TMLT. 10

15 11

16 TEXAS MEDICAL LIABILITY TRUST Rdsn 1212