September 2014 Greetings! I hope this edition of CIS News finds you enjoying the beginning of the fall season. The Coverys Insurance Services staff always appreciates this time of year when we can support our clients at their community golf outings and events around the state. Our sponsorship and attendance at these events are a highlight for us and I want to thank you for including Coverys Insurance Services. The theme of this newsletter is Cyber Liability. We ve put together some useful information to educate you about the threats of data breaches and to also explain the many ways Coverys Insurance Services provides protection against these threats. If you weren t already aware, all Coverys policyholders automatically receive Regulatory Liability and Information Security and Privacy Coverage. This edition also includes a helpful article detailing the basic limits of coverage we provide to you as well as information on receiving additional limits, should your organization require those. If you have any questions about cyber liability, your current coverage, or would like more information on obtaining additional coverage, please do not hesitate to contact us! Sincerely, David Schwaner Agency Director, Coverys Insurance Services In This Issue... Cyber Liability and Data Breaches - A Growing Threat in Healthcare Getting To Know Coverys Regulatory Liability and Information Security and Privacy Coverage www.coverysis.com
CYBER LIABILITY AND DATA BREACHES - A GROWING THREAT IN HEALTHCARE By Richard J. Suhrheinrich and Kimberly M. Babcock, Kitch Drutchas Wagner Valitutti & Sherbrook The information age has brought about unparalleled threats to companies in the area of cyber attacks. A cyber attack also called a data breach occurs when sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual not authorized to do so. Such threats have become prominent in the news, with several well publicized attacks occurring to global companies and major retailers, such as Sony, Target and ebay. Since 2011, cyber attacks and data breaches are consistently included among the top global risks to watch for, according to the world s top business leaders, politicians and policy advisers assembled at the World Economic Forum (WEF). 1 The healthcare community is particularly vulnerable to cyber security threats. Hospitals, healthcare organizations and physician practices are faced with the daunting task of operating EMR and EMH systems and complex internal networks, while protecting highly sensitive patient data from inadvertent disclosure or theft. The increased use of technology, with telemedicine, laptops, tablets and mobile devices being used to store and transmit patient information, leads to more opportunities for data breaches to occur. The Identity Theft Resource Center, a non-profit organization that tracks data theft, found the healthcare sector experienced the highest number of cyber attacks in 2013, overtaking the business sector for the top spot. The healthcare sector suffered 267 breaches in 2013, constituting 43 percent of all cyber attacks that year. 2 Interestingly, most of these breaches are not due to a malicious attack from a third party according to a 2013 global study conducted by the Ponemon Institute, human errors and system glitches caused approximately two-thirds of data breaches. 3 Data breaches can occur in multiple ways. Stolen or lost laptops or hard drives, disclosures by third-party vendors, and unsecure websites top the list. The following are some examples of the notable breaches by hospitals or healthcare organizations occurring to date: Advocate Medical Group (2013): Four laptops were stolen containing more than 4 million patient records. This was the second largest breach to be reported to HHS. 4 AHMC Healthcare (2013): Two laptops were stolen containing patient data from six AHMC hospitals in California. Approximately 729,000 patients were affected with about 70,000 having their Social Security numbers compromised. 4 Cogent Healthcare, Inc. (2013): A transcription company stored medical data on a non-secure website, making the private website accessible to all Internet users; some records were indexed by Google. PHI of over 32,000 individuals was affected. 4 Emory Healthcare (2012): The Atlanta-based hospital system misplaced 10 backup disks containing information for more than 315,000 patients. Some 228,000 of the files included patient Social Security numbers and other medical information. 5 UCLA Health System (2011): Unauthorized employees looked at electronic protected health information of numerous celebrity patients. UCLA had to pay $865,000 to settle HIPAA investigations and charges. 6 Less than a year later, UCLA was faced with another data breach when a former employee s house was broken into, and an external hard drive was stolen containing encrypted personal information of 16,288 patients. 7 Sutter Health (2011): Nearly 1 million patients of the California health system had their PHI compromised after the theft of an unencrypted company desktop computer. Sutter Health faces 11 different lawsuits with potential liability of up to $4.25 billion. 8 Eisenhower Medical Center (2011): An unencrypted computer was stolen containing patient data; over 514,000 individuals were affected. 9 TRICARE Management Activity (2011): Lost back-up tapes contained PHI of over 4.9 million individuals, making it the largest breach in history. $4.9 billion was sought in the class action lawsuit, or $1,000 per patient. Importantly, a federal court recently dismissed the majority of the lawsuit on the basis that a data breach alone did not demonstrate damages and the plaintiffs had to prove actual harm. 9
North Bronx Healthcare Network (2010): Back-up tapes from two computer systems were stolen from a vendor truck, containing 20 years of PHI of an estimated 1.7 million individuals. 9 New York Presbyterian Hospital and Columbia University (2010): A physician attempted to deactivate a personal computer server on the hospital network, resulting in 6,800 patients PHI being exposed on the Internet. In the largest HIPAA settlement to date, the two hospitals paid a total of $4.8 million to settle the claims. 10 What Are the Consequences of a Data Breach? The recently enacted HIPAA Omnibus Rule, found in the HITECH Act s Breach Notification Rule, requires entities to notify the U.S. Department of Health and Human Services (HHS) following a data breach of protected health information. If the PHI of 500 or more individuals is compromised, HHS posts the breach to the public in 2013 alone, 248 such violations were posted. 11 According to the 2013 Ponemon study, the average total organizational cost of a data breach in the United States was $5,403,644. Healthcare, as the most heavily regulated industry, led the pack as the U.S. industry with the highest per capita cost of a data breach. 3 When a data breach occurs, a hospital or healthcare system may face all or some of these expenses and consequences: Legal Defense: the cost can vary widely. A 2013 study of actual claim payouts found the average cost for legal defense for a cyber liability/data breach claim was $574,984, and the average legal settlement was $258,099. 12 Regulatory Proceedings, Fines, and Penalties: the Omnibus rule allows for hefty penalties for data breaches up to $1,500,000 per incident. In 2013, HHS handed out penalties ranging from $150,000 to $1,700,000. 13 Notification of Third Parties: most states require notification to individuals with potentially compromised information. HHS must be notified if the PHI of over 500 individuals are affected. 14 In-House Investigations: including response plans, and repair and/or improvement of security technology. Forensic Examination and Experts: hiring a third party to investigate the data breach; average fees are from $200 to $1,500 per hour. 14 Hotline/Call Center: to provide support for patients/ affected individuals. Credit or Identity Monitoring: many hospitals voluntarily provide this for patients who are victims of a breach; typical credit monitoring costs can range from $10-$30 per individual per year. 14 Public Relations: damage control is necessary and may be extensive, depending on the seriousness of the breach and the number of people affected. Hiring an external party may be necessary. Various intangible consequences, such as harm to the organization s reputation and loss of trust between the organization and the patient. 4 For the healthcare community, cyber liability is a real and growing threat. It has become a must for hospitals, healthcare organizations and physician practices to be aware of the cyber liability risks, and take affirmative steps to reduce these risks. Steps need to be taken to safeguard against disclosure as well as protect the provider, should a breach happen. References: 1. Global Risks 2014: Ninth Edition. Published by the World Economic Forum, http://www3.weforum.org/docs/ WEF_GlobalRisks_Report_2014.pdf. Cybersecurity named one of top five global threats. Published February 10, 2011, www.homelandsecuritynewswire.com/cybersecuritynamed-one-top-five-global-threats
2. Cyberattacks are on the rise. And health-care data is the biggest target. Published February 5, 2014, http://www.washingtonpost.com/blogs/wonkblog/ wp/2014/02/05/cyberattacks-are-on-the-rise-and-healthcare-data-is-the-biggest-target/. 3. 2013 Cost of Data Breach Study: Global Analysis. Ponemon Institute, May 2013, www.ponemon.org/ library/2013-cost-of-data-breach-global-analysis. 4. Top 10 HIPAA Data Breaches of 2013. Layered Tech, published January 7, 2014, www.layeredtech.com/ blog/top-10hipaa-data-breaches-of-2013. 5. 10 largest HIPAA breaches of 2012. Healthcare IT News, published January 1, 2013, http://www.healthcareitnews.com/ news/ 10-largest-hipaa-breaches-2012. 6. UCLA Health System Pays $865,000 Over Privacy Charges. InformationWeek, published July 8, 2011, http://www.darkreading.com/risk-management/ ucla-health-system-pays-$865000-over-privacycharges/d/d-id/1098799. 7. UCLA Patient Data Breached (Again). Fierce Healthcare, published November 7, 2011, http://www.fiercehealthcare.com/story/ucla-patient-databreached-again/2011-11-07. 8. Patients Sue Sutter Health After Largest Data Breach. Fierce Healthcare, published November 28, 2011, http://www.fiercehealthcare.com/story/patients-sue-sutterhealth-after-largest-data-breach/2011-11-28. Another data breach for Sutter Health. Healthcare IT News, published June 10, 2013, http://www.healthcareitnews.com/news/another-databreach-sutter-health. 9. 10 biggest HIPAA data breaches in the U.S. Healthcare IT News, published September 10, 2012, www.healthcareitnews.com/slideshow/ slideshow-top-10-biggest-hipaa-breaches-united-states. 10. Data breach results in $4.8 million HIPAA settlements. U.S. Department of Health & Human Services Press Release dated May 7, 2014, www.hhs.gov. 11. 45 CFR 164.408; see also www.hhs.gov Health Information Privacy Breaches Affecting 500 or More Individuals. 12. Cyber Liability & Data Breach Insurance Claims: A Study of Actual Claim Payouts. NetDiligence 2013. www.netdiligence.com/files/cyberclaimsstudy-2013.pdf 13. HHS raises the stakes for patient data breaches. Healthcare IT News, published November 25, 2013, http://www.healthcareitnews.com/blog/hhs-raises-stakespatient-data-breaches. 14. Data Breach Cost: Risks, costs and mitigation strategies for data breaches. Zurich, http://www.zurichna.com/ internet/zna/sitecollectiondocuments/en/products/ securityandprivacy/data%20breach%20costs. %20wp%20part%201%20(risks,%20costs %20and%20mitigation%20strategies).pdf.
GETTING TO KNOW COVERYS REGULATORY LIABILITY AND INFORMATION SECURITY AND PRIVACY COVERAGE Since 2009, more than 804 breaches of protected health information were reported to the HHS Office of Civil Rights. As a result, more than 29 million patient records were affected. 1 Healthcare facilities have been charged with protecting not only their patient s well-being, but also their protected health information. Through member company MHA Insurance Company ( MHAIC ), Coverys provides facilities with the extra coverage you may need, above and beyond your original professional liability policy. All MHAIC policies now include Regulatory Liability and Information Security and Privacy Coverage. Coverys offers the coverage for policyholders for no extra cost at basic limits and also offers the ability to purchase additional limits with flexible deductible options. The following information will help you get a more in-depth understanding of this coverage. Who is eligible for Coverys Regulatory Liability and Information Security and Privacy Coverage? Is there a limit of liability buy-up option? Individual, group and facility professional liability policyholders are provided the coverage at basic limits. They are also given the option of purchasing additional limits with flexible retentions. What are the basic limits of liability and deductibles? Does MHAIC bear the underwriting exposure for these coverages? No. MHAIC fronts this coverage on behalf of Beazley, 2 a specialty insurance company that manages five international Lloyd s of London syndicates. Beazley is a market leader in cyber liability, professional indemnity, property, marine, reinsurance, accident and life, and political risks and contingency business. Will Coverys underwriters be given a loss report for each insured? Beazley shares claim-specific loss reports to Coverys for each of its applicable underwriting entities. Coverys underwriters have access to these reports. Will coverage be available in claims-made and occurrence? No. Coverage is written solely on a claims-made basis. However, the coverage will be attached to both claims-made and occurrence professional liability policies. Will there be an extended reporting period endorsement option? Yes, there is a one-year, 3 non-renewable reporting endorsement option available. Provider Coverage Coverage Provider Limits*** Retention*** Facility Limits Facility Retention Information Security A $50,000 $1,000 $100,000 $5,000 and Privacy Liability Privacy Breach Response Services B**** 5,000 individuals $100,000 Computer Forensics B.1.a Sublimit $50,000 Computer Forensics and B.1.a&b Sublimit $1,000 $50,000 $5,000 Notification Service Credit Monitoring Service B.1.c 50 individuals 250 individuals Regulatory Defense and Penalties C $50,000 $1,000 $50,000 $5,000 Website Media Content Liability D $50,000 $1,000 $50,000 $5,000 Providers Regulatory Liability E $50,000 $1,000 $100,000 $25,000 Disciplinary Proceedings E (Disciplinary) $25,000 - $25,000 - Sublimit Cyber Extortion F $50,000 $1,000 $50,000 $5,000 First Party Data Protection G $50,000 $1,000 $50,000 $5,000 Crisis Management and H $25,000 $1,000 $25,000 $5,000 Public Relations Combined $50,000 $100,000 Aggregate * The Coverys MPL provider policy includes the basic limits and deductibles noted above, at no additional charge. ** Limit buy-up options, up to $5 million per coverage with flexible retentions, are available upon request. *** The Limit of Liability shown for Coverage B and the Aggregate as well as all Retentions may vary by Group size (this table displays amounts for a Group Size of 5). Please see the Regulatory Liability and Information Security and Privacy Coverage Schedule for further details. ****For Provider policies, this limit does not apply to the aggregate.
3100 West Road Building 1, Suite 200 East Lansing, MI 48823 NOTE: For claims-made policies, insureds must purchase a reporting endorsement for their professional liability policy in order to purchase the cyber/regulatory reporting endorsement. Why is coverage provided for Cyber Extortion? Isn t extortion a criminal act? The insured is covered to protect against the criminal act of someone else. It is similar to a homeowner s insurance policy protecting the homeowner against robbery. The act of the robber is criminal, but the homeowner needs coverage for the act. Is extortion committed by an employee excluded? Yes, the coverage explicitly excludes cyber extortion by an employee or owner of the practice. How does the notifications deductible apply? An individual practitioner is responsible to pay for the first 50 notifications. After that, the coverage will pay for 5,000 notifications. For a group of two to 20 practitioners, the group will pay for the first 100 notifications. After that, the coverage will pay for 50,000 notifications. For a group of 21 or more, the group pays for the first 5,000 notifications. After that, the coverage will pay for 100,000 notifications. For a facility, the facility pays for the first 250 notifications. After that, the coverage will pay for $100,000 worth of notifications. Who chooses the attorneys, experts and service providers? Beazley has attorneys, computer experts and service providers that they can contract with to provide these services to their insureds. However, Beazley is willing to work with insureds to expand their panel of providers given the right circumstances. What if the insured already has this coverage through another policy? There is an other insurance clause written into the coverage language which states that the cyber/regulatory coverage is excess over any other coverage available. References: 1. Redspin s Breach Report 2013 Protected Health Information (PHI), Redspin, http://www.redspin.com/ resources/whitepapers-datasheets/request-2013-breach- Report-Protected-Health-Information-PHI-Redspin.php. 2. Beazley has authority to enter into contracts of insurance on behalf of the Lloyd s underwriting members of Lloyd s syndicates 623 and 2623 which are managed by Beazley Furlonge Limited. Beazley Furlonge Limited is authorized by the Prudential Regulation Authority and regulated by the Financial Conduct Authority in the UK (ref 204896) in its capacity as an insurer. 3. Contingent upon state regulations.