Your SlideShare is downloading. ×
Cyber & Privacy Liability for Health Care Industry
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Cyber & Privacy Liability for Health Care Industry


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. USI Insurance ServicesCyber and Privacy Liabilityfor Healthcare ProvidersUSI Management and Professional Services
  • 2. Cyber and Privacy Exposures Are Significant Sources of Liability Claims Against Healthcare Providers Cyber Liability: Privacy Liability: Liability arising out of 1st and 3rd Party risks misuse or improper associated with on-line disclosure of Personal Data - activities - Internet, Social Security Number Network and Data Assets or Credit Card)Confidential 1
  • 3. Cyber & Privacy Claims are Not Covered under Traditional Insurance Policies The Insurance Gap Errors & General Property Crime Omissions Liability Insurance Insurance• Typically excludes a • Excludes damage • Coverage is specific • Covers loss due to security breach to and corruption of to physical employee theft of• Typically tied electronic data loss or damage to money, securities or to/requires an act of • Covers only tangible property other property negligence to “tangible” property (named) • Property must be trigger coverage • Personal & • Courts have tangible and have advertising liability consistently held intrinsic value does not cover that data is not • No coverage for violations/misuse of tangible property confidential private information informationConfidential 2
  • 4. Providers Increasingly Challenged to Manage Expanding Regulations with Limited Budgets and Resources State Breach Laws: 46 states have enacted legislation requiring security breach notification involving personal information – with no “overarching” Federal law, state statutes control. Health Insurance Portability and Accountability Act (HIPAA): Applies to health care businesses and any employer that provides health care benefits Payment Card Industry Data Security Standard (PCI DSS): Worldwide security standard created to prevent credit card fraud Federal Trade Commission (FTC): 2012-13 most active enforcer; new role similar to the EEOC of the last three years Health Insurance Portability Credit TransactionsAct (HIPAA): Applies to healthpassed in Fair and Accurate and Accountability Act (FACTA): Disposal Rule, care businesses and any employer that provides health care benefits identity theft and allows consumers to 2003, created standards to help reduce obtain a free annual credit report Hi Tech: Applies to certain healthcare facilities and is an expansive amendment to HIPAAConfidential 3
  • 5. Healthcare Industry Number One Target For Criminal Organizations Looking for Personal Information  Health records commonly include date of birth, social security number, credit card number and address  Healthcare breaches increased 32% in 2011 over 2010  Providers increasingly utilize hospital, pharmacy, payor and network computer systems to transmit patient information electronically  Lack of employee training in data security and privacy in healthcare  Lax office procedures related to confidential patient information  Increased Cyber and Privacy Liability regulatory challenges:  HIPAA Act (Federal)  HI-TECH (Federal) & PPACA  State laws (e.g., California Confidentiality of Medical Info)Confidential 4
  • 6. Average Cost of Data Breach in 2011: $5.5million* Health system accidently posts medical records of thousands of patients on Internet. Class action suit filed seeks $10 million in damages. OCR notification costs $1+ million with total costs at $20+ million. May 2012: two physician clinics settled for $100,000 with HHS and OCR regarding HIPAA violations; investigation triggered by public calendar posting of patient appointments. Small MA hospital settled with State Attorney General for $750,000 on HIPAA violations; hospital shipped three boxes of unencrypted data to third party to be erased; only two boxes arrived at facility. June 2012: CT Medical Board fined a doctor $20,000 for unauthorized download of patient data. May 2012: Receptionist at psychological institution found liable for $2 million in ID theft and fraud; ordered to pay approximately $360,000 in restitution. Fines against institution under discussion. Information no longer resides exclusively on servers: Data has gone mobile, limiting the effectiveness of firewalls and other controls at even the most advanced*Poneman Institute and Symantec firms! Confidential 5
  • 7. Healthcare Holds or Transmits More Personal Data than I Privacy and Cyber Liability for Healthcare Providers – Increased and Unique Risks Any Other U.S. Business Segment  HIPAA virtually unenforced from 2005 to 2010. Starting with the passage of the Hi-Tech Act, the Dept. of Health and Human Services has stepped up enforcement actions through the Office of Civil Rights (OCR).  Plaintiff Attorney fees have increased as complexity and potential awards have increased. A patchwork of both State and Federal statutes provide multiple actionable causes and there is no sign of abatement.  Beginning September 2012, with rules expanding in January of 2013, TX HB300 expands HIPAA requirements to businesses of all shapes and sizes in Texas, exponentially increasing statutory exposure. Bottom Line: Healthcare businesses must begin evaluating their cyber and privacy liability exposures and consider insurance coverage solutions!Confidential 6
  • 8. Almost 50% of Losses Come From Fraud and Hacking Hack 30% FraudSe 17% StolenLaptop 9% Web 8% Disposal_Document 6% StolenDocument 4% Unknown 4% StolenComputer 3% SnailMail 3% Email 3% LostDrive 2% LostDocument 2% Virus 2% StolenDrive 2% LostMedia 1% LostMedia 0% LostTape 0% LostMobile 0% DisposalComputer 0% StolenMobile 0% MissingLaptop 0% StolenMedia 0% MissingMedia 0% LostLaptop 0% StolenTape 0% Source: http://datalossdb.orgConfidential 7
  • 9. The USI SOLUTION MARKET EXPERIENCE EXPERTISE LEVERAGE • Coverage is modular • Dedicated team of • Access to the – it is essential to Network Security & leading network of know which Privacy experts insurance carriers coverage fits a • Experience in the • Ability to creatively specific risk policy features tailor coverages to • Policy language critical to Health meet the needs of varies from carrier to Care Providers each unique client carrier, no two policies are the same.Confidential 8
  • 10. 1st Party Coverage Losses Your Company Suffers Directly Cyber Extortion: Covers costs to investigate, negotiate and settle if credibly threatened or if an extortion demand is received. Wording is essential, as distinction between extortion/terrorism/act of war, etc. is developing. Data Asset/Data Restoration: Covers data restoration expenses after a covered data breach; this does NOT mean cost of new software/hardware, but restoration to pre-loss condition. Business Interruption: Covers costs and expenses resulting from a shut down of operations due to a covered data breach; not always included in standard coverage. The “waiting period” for coverage is typically 24 hours. However, this should be discussed, as some organizations (high tech, online services, etc) require a shorter trigger. Crisis Management: Covers cost to hire a public relations firm to protect brand image and reputation following a breach.Confidential 9
  • 11. 3rd Party Coverage Losses Suffered By Your Patients or Clients Covers insured’s economic Covers defense and damages Privacy Liability Coverage Media or Content Liability liability when hackers / related to allegations of insured’s unauthorized users access failure to protect private or and Breach Response Insured’s systems to inflict confidential patient data, whether damage on others. in electronic or paper forms defense and settlement costs. Covers unauthorized access, unauthorized use and Coverage may include denial of service attacks, etc. following, subject to sub-limits or per-record basis: Notification Expenses Credit Monitoring Event Management Governmental Regulatory ClaimsConfidential 10
  • 12. Additional 3rd Party Coverage Intellectual Property: Responds to loss arising from infringement of trademark, copyright and other protected sources – typically a SEPARATE POLICY is required to provide more expansive coverage for patent portfolios Media or Content Liability: Responds to advertising injury for losses arising from display of material online and advertising,Confidential 11
  • 13. Interested in Learning More? Toni L Ferrari Commercial Insurance Executive, Healthcare Practice Mid-Atlantic Region Phone: 757 640 5466 Mobile: 757-406-5229 12