Cyber Liability. AlaHA Annual Meeting 2013

Transcription

1 Cyber Liability AlaHA Annual Meeting 2013

2 Disclaimer We are not providing legal advise. This Presentation is a broad overview of health care cyber loss exposures, the process in the event of loss and coverages available. We can provide recommendations regarding your operation only after reviewing the exposures in your facility and your appetite for potential loss.

3 What Is Cyber Liability It is liability and other expenses due to the unauthorized disclosure of personally identifiable information of others, including electronic data breach as well as paper files. When applicable it includes HIPAA and HITECH requirements.

4 Examples of Litigation South Shore Hospital was fined $750,000 by Massachusetts Attorney General when some unencrypted backup records were lost in shipping, exposing 800,000 patients PMI and financial records. West Virginia University Medical Corporation was forced to pay $2,300,000 in punitive damages when an employee took three women s mental health records home and discussed them with locals. Emory Hospital was served with a class action lawsuit alleging $500,000,000 in damages for losing 10 data disks containing sensitive personal data of over 315,000 patients.

5 Litigation The Sutter Health Foundation A class action suit seeking $1,000 for each of the affected 4.3 million patients was filed against the Foundation after a laptop containing PMI was stolen from their hospital. UCLA Healthcare System had to defend itself in a case that alleged up to $16 million in damages following a data breach. The incident occurred when a doctor brought a hard drive home and subsequently had it stolen during a break in, exposing 16,288 patients personal information.

6 More Litigation Sutter Health lost 943,000 patients confidential information when a thief broke a window and stole a computer. Sutter failed to notify the affected individuals within the time allotted by state law prompting a law suit which seeks to give each member $1,000. Stanford University Hospital and Clinics faced a $20,000,000 class action lawsuit after their third party billing vendor posted a spreadsheet of over 2,000 patients PMI on a commercially available website. Charleston Area Medical Center faced a class action lawsuit following a third party data management firm accidentally posted their patients information on a publically viewable website. Despite having paid for credit monitoring services and credit freezes for the 3,655 affected individuals as well as hiring a risk management group to access their practices, the plaintiffs moved forward with the lawsuit.

7 Incidents Lexington Clinic suffered an overnight burglary as well as a subsequent data breach when the thieves stole a laptop containing PMI of many of their patients. As a result, Lexington Clinic sent letters to the 1,018 people who they believed were affected. Parkland Memorial Hospital had to pay for credit monitoring services and notifications for 1,311 of their patients after a Parkland employee stole their information in an attempt to begin his own health care practice. Staten Island University Hospital had a computer desktop stolen which contained 88,000 patients social security numbers as well as health insurance policy numbers. In response, they notified and purchased a year of credit monitoring services for those affected by the breach.

8 More Incidents Georgetown University Hospital sent notifications to 1,526 patients following the loss of a USB thumb drive which contained their personal medical information. Pitt County Memorial Hospital lost a USB drive that contained the PHI of approximately 1,700 patients. Pitt notified and provided a year of credit monitoring to the affected individuals. MidState Medical Center misplaced a hard drive which contained medical and personal information for an undisclosed amount of patients. As a result, MidState established a hotline, notified the affected individuals and offered them two years worth of credit monitoring services.

9 More Incidents Cincinnati Children s Hospital paid for credit monitoring services, notifications and a hotline following a data breach that was a result of a laptop being stolen from an employee s car. Adventist Health System employees accessed patient information not necessary to perform their duties in order to refer car accident victims to a lawyer, causing a breach in their information. As a result, Adventist notified the affected individuals, provided a year of credit monitoring services and fired the employees responsible for the breach.

10 What Happens if Data is Breached Discovery of the Event Event is theft, loss or unauthorized disclosure of Personally Identifiable Non Public Information or Third party Corporate Information that is in the care, custody or control of insured (hospital) or a third party for whom the (hospital)is legally liable. Evaluation of Event Investigation and Legal Review

11 After Data Breach Manage the Short Term Crisis Notification Credit Monitoring Public Relations Manage the Long Term Consequences Class Action lawsuits Regulatory Fines and Penalties Damage to Reputation Income Loss

12 Isn t This Covered by Non Cyber Policies It Is Possible but Very Unlikely CGL Policies Usually Do Not Cover Intangible Property Property Business Interruption Usually Requires Direct Physical Damage Crime Usually Applies to Tangible Property D&O Excludes Bodily Injury, Property Damage No Other Traditional Insurance Cover Notification Expense

13 You Get What You Pay For If You Are Lucky Insurer/Policy Form? A.M. Best Rating Expertise in Field? Breach response cost coverage? Breach response costs coverage includes notification of up to individuals? Credit monitoring offered to notified individuals? Coverage includes credit restoration service? Dedicated breach response costs limit that is in addition to third party liability aggregate limit? Forensic and legal expenses also in addition to policy aggregate limit (sublimit of $ )? Insurer has panel of service providers? Insured may select legal counsel from panel? Free risk management program included with coverage? Security and privacy liability coverage? Limit? Retention? Duty to defend?

14 Check List Coverage includes both non public personally identifiable information and confidential corporate information? Coverage extends to information in the possession of independent contractor? Coverage includes events and claims anywhere in the world? Coverage includes acts by rogue employees? Coverage includes failure to comply with own privacy policy? Coverage includes failure to administer an identity theft prevention program required by law or take necessary actions to prevent phishing/identity theft? Coverage for failure to timely disclose a security breach as required by law? No exclusion for failure to maintain security? Regulatory defense and penalties coverage? Fines and penalties covered where insurable by law? Coverage includes PCI fines and costs? Crisis management and public relations coverage? Coverage includes crisis management?

15 What If I Want to Know More Give Us a Call Mel Capell, CEO MCapell@coastalins.org Wray Smith WSmith@coastalins.org