Getting the social side of pervasive computing right
Cyber & Privacy Liability for Health Care Industry
1. USI Insurance Services
Cyber and Privacy Liability
for Healthcare Providers
USI Management and Professional Services
2. Cyber and Privacy Exposures Are Significant Sources of
Liability Claims Against Healthcare Providers
Cyber Liability: Privacy Liability:
Liability arising out of
1st and 3rd Party risks
misuse or improper
associated with on-line
disclosure of Personal Data -
activities - Internet,
Social Security Number
Network and Data Assets
or Credit Card)
Confidential 1
3. Cyber & Privacy Claims are Not Covered under
Traditional Insurance Policies
The Insurance Gap
Errors & General Property Crime
Omissions Liability Insurance Insurance
• Typically excludes a • Excludes damage • Coverage is specific • Covers loss due to
security breach to and corruption of to physical employee theft of
• Typically tied electronic data loss or damage to money, securities or
to/requires an act of • Covers only tangible property other property
negligence to “tangible” property (named) • Property must be
trigger coverage • Personal & • Courts have tangible and have
advertising liability consistently held intrinsic value
does not cover that data is not • No coverage for
violations/misuse of tangible property confidential
private information information
Confidential 2
4. Providers Increasingly Challenged to Manage Expanding
Regulations with Limited Budgets and Resources
State Breach Laws: 46 states have enacted legislation requiring security breach
notification involving personal information – with no “overarching” Federal
law, state statutes control.
Health Insurance Portability and Accountability Act (HIPAA): Applies to
health care businesses and any employer that provides health care benefits
Payment Card Industry Data Security Standard (PCI DSS): Worldwide
security standard created to prevent credit card fraud
Federal Trade Commission (FTC): 2012-13 most active enforcer; new role
similar to the EEOC of the last three years
Health Insurance Portability Credit TransactionsAct (HIPAA): Applies to healthpassed in
Fair and Accurate and Accountability Act (FACTA): Disposal Rule, care businesses and
any employer that provides health care benefits identity theft and allows consumers to
2003, created standards to help reduce
obtain a free annual credit report
Hi Tech: Applies to certain healthcare facilities and is an expansive amendment
to HIPAA
Confidential 3
5. Healthcare Industry Number One Target For Criminal
Organizations Looking for Personal Information
Health records commonly include date of birth, social
security number, credit card number and address
Healthcare breaches increased 32% in 2011 over 2010
Providers increasingly utilize hospital, pharmacy, payor
and network computer systems to transmit patient
information electronically
Lack of employee training in data security and
privacy in healthcare
Lax office procedures related to confidential
patient information
Increased Cyber and Privacy Liability regulatory challenges:
HIPAA Act (Federal)
HI-TECH (Federal) & PPACA
State laws (e.g., California Confidentiality of
Medical Info)
Confidential 4
6. Average Cost of Data Breach in 2011: $5.5million*
Health system accidently posts medical records of thousands of patients on Internet.
Class action suit filed seeks $10 million in damages. OCR notification costs $1+ million
with total costs at $20+ million.
May 2012: two physician clinics settled for $100,000 with HHS and OCR regarding
HIPAA violations; investigation triggered by public calendar posting of patient
appointments.
Small MA hospital settled with State Attorney General for $750,000 on HIPAA violations;
hospital shipped three boxes of unencrypted data to third party to be erased; only two
boxes arrived at facility.
June 2012: CT Medical Board fined a doctor $20,000 for unauthorized download of
patient data.
May 2012: Receptionist at psychological institution found liable for $2 million in ID theft
and fraud; ordered to pay approximately $360,000 in restitution. Fines against institution
under discussion.
Information no longer resides exclusively on servers:
Data has gone mobile, limiting the effectiveness of
firewalls and other controls at even the most advanced
*Poneman Institute and Symantec
firms!
Confidential 5
7. Healthcare Holds or Transmits More Personal Data than I
Privacy and Cyber Liability for Healthcare Providers – Increased and Unique Risks
Any Other U.S. Business Segment
HIPAA virtually unenforced from 2005 to 2010. Starting with
the passage of the Hi-Tech Act, the Dept. of Health and
Human Services has stepped up enforcement actions
through the Office of Civil Rights (OCR).
Plaintiff Attorney fees have increased as complexity and
potential awards have increased. A patchwork of both State
and Federal statutes provide multiple actionable causes and
there is no sign of abatement.
Beginning September 2012, with rules expanding in
January of 2013, TX HB300 expands HIPAA requirements
to businesses of all shapes and sizes in Texas,
exponentially increasing statutory exposure.
Bottom Line: Healthcare businesses must begin
evaluating their cyber and privacy liability exposures
and consider insurance coverage solutions!
Confidential 6
9. The USI SOLUTION
MARKET
EXPERIENCE EXPERTISE
LEVERAGE
• Coverage is modular • Dedicated team of • Access to the
– it is essential to Network Security & leading network of
know which Privacy experts insurance carriers
coverage fits a • Experience in the • Ability to creatively
specific risk policy features tailor coverages to
• Policy language critical to Health meet the needs of
varies from carrier to Care Providers each unique client
carrier, no two
policies are the
same.
Confidential 8
10. 1st Party Coverage
Losses Your Company Suffers Directly
Cyber Extortion: Covers costs to investigate, negotiate and settle if
credibly threatened or if an extortion demand is received. Wording is
essential, as distinction between extortion/terrorism/act of war, etc. is
developing.
Data Asset/Data Restoration: Covers data restoration expenses after
a covered data breach; this does NOT mean cost of new
software/hardware, but restoration to pre-loss condition.
Business Interruption: Covers costs and expenses resulting from a shut
down of operations due to a covered data breach; not always included in
standard coverage. The “waiting period” for coverage is typically 24 hours.
However, this should be discussed, as some organizations (high tech, online
services, etc) require a shorter trigger.
Crisis Management: Covers cost to hire a public relations firm to protect
brand image and reputation following a breach.
Confidential 9
11. 3rd Party Coverage Losses Suffered
By Your Patients or Clients
Covers insured’s economic Covers defense and damages
Privacy Liability Coverage
Media or Content Liability
liability when hackers / related to allegations of insured’s
unauthorized users access failure to protect private or
and Breach Response
Insured’s systems to inflict confidential patient data, whether
damage on others. in electronic or paper forms
defense and settlement costs.
Covers unauthorized
access, unauthorized use and Coverage may include
denial of service attacks, etc. following, subject to sub-limits or
per-record basis:
Notification Expenses
Credit Monitoring
Event Management
Governmental Regulatory Claims
Confidential 10
12. Additional 3rd Party Coverage
Intellectual Property:
Responds to loss arising from
infringement of trademark, copyright
and other protected sources –
typically a SEPARATE POLICY is
required to provide more expansive
coverage for patent portfolios
Media or
Content Liability:
Responds to advertising injury for
losses arising from display of
material online and advertising,
Confidential 11
13. Interested in Learning More?
Toni L Ferrari
Commercial Insurance Executive, Healthcare Practice
Mid-Atlantic Region
Phone: 757 640 5466
Mobile: 757-406-5229
toni.ferrari@usi.biz
Confidential 12