Cyber & Data Risk Insurance


Published on

With the growth of the market and the continued evolution of technology, it is critical that you are up to date in the ever growing area of cyber and data risk insurance. Our September 2013 conference in NYC was the largest to date, with all of these attending in droves: banks, healthcare providers, retailers, insurers, brokers, underwriters, law firms, forensic firms, credit monitoring firms, crisis managers, regulatory notification specialists, PR and IT professionals, and vendors.

Published in: Design
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Cyber & Data Risk Insurance

  1. 1. HEALTHCARE HIGHLIGHTS 6th Annual Advanced Forum on Cyber & Data Risk Insurance September 27, 2012 Presented by: Kimberly B. Holmes, Esq. Chubb Group of Insurance Companies Christopher Keegan Senior Vice President, Willis John F. Mullen, Esq. Nelson, Levine, de Luca & Hamilton Focused on the Business of InsuranceSM © Nelson Levine de Luca & Hamilton, LLC
  2. 2. Healthcare - What We Know • Highly regulated industry – HIPAA – HITECH – State data privacy and breach notification laws • Business Associate requirements are a moving target – Third party due diligence has always been a problem • Covered Entities held to a higher standard – Your customers simply expect more – and they vote with their feet when they don’t get it Focused on the Business of InsuranceSM
  3. 3. What’s Here Now and What’s On the Horizon • Electronic Medical Records (EMRs) – Operation/Implementation Challenges • Fair Information Principles Will Apply • Health Insurance Exchanges (HIEs) – HIPAA Compliance Challenges • Who is and isn’t a Covered Entity? • Operation/Implementation Challenges – States will vary in Compliance protocols Focused on the Business of InsuranceSM
  4. 4. EMR and HIPAA PAA R•HIPAA Focused on the Business of InsuranceSM Requirements
  5. 5. EMRs – The New Reality • The shift toward electronic health records has gained great momentum • Meaningful use, and interoperability, are big concerns – more data in motion, more data at risk • The first round of EHR incentive payments for meaningful use occurred earlier this year Focused on the Business of InsuranceSM
  6. 6. EMR—Compliance Costs • Secure conversion • Secure storage • Administrative safeguards • Technical safeguards • Physical safeguards Focused on the Business of InsuranceSM
  7. 7. EMR—Cost of Non-compliance • Exposure to OCR/AG Actions • Fines • Punitive damages Focused on the Business of InsuranceSM
  8. 8. EMR—Electronic Security • During conversion • Physical security of paper documents • Secure electronic transmission • Secure electronic storage • Secure conversion facility • After conversion • Secure destruction of paper records • Secure electronic storage Focused on the Business of InsuranceSM
  9. 9. Health Insurance Exchanges • Required under Affordable Care Act (ACA) to be implemented by Jan. 2014 • Some states will operate themselves • Some states will establish through partnership with federal government and its contractors • Facilitate the purchase of health insurance coverage by small businesses and individuals • Determine eligibility and reviewing plans for compliance with required benefits packages • Facilitating online availabilty of plans • Processing Enrollment Focused on the Business of InsuranceSM
  10. 10. Health Insurance Exchanges (Cont’d.) • To date, most HIEs have been set up as government or quasi-government entities and are thus NOT “Covered Entities” under HIPAA • Participating Insurers (Qualified Health Plans) ARE still Covered Entities • Must continue to comply with HIPAA as well as any new privacy/security requirements imposed by the exchanges on their participating plan • HHS final rule established no single minimum standards, but directed HIEs to develop privacy/security policies based on FTC Fair Information Practice Principles Focused on the Business of InsuranceSM
  11. 11. Compliance & Notice Regulations • HITECH Act – Extends HIPAA to “business associates” of covered entities. • Eg. claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management – Permits State Attorneys General to bring civil actions in federal court. • First AG suit filed against Health Net Connecticut in January 2010 alleging failure to properly encrypt portable data (violating HIPAA) and failure to timely provide notice (suit settled: $250K fine, 2 ears credit monitoring, additional $500K fine if person suffers ID theft as result of breach) – Civil monetary penalties range from $50K - $1.5m per violation , per calendar year. – Provides for mandatory audits by the Sec. of HHS to ensure data security policies and procedures are compliant, and implemented. Focused on the Business of InsuranceSM
  12. 12. Compliance & Notice Regulations • HITECH Act – Civil Penalties – Cignet Health – HHS fined Cignet $4.3 million (Feb. 2011) • Cignet failed to provide patients access to their own health information as required by HIPAA (fine $1.3 mil) and failed to cooperate with HHS’s investigation (fine $3 mil) • First fine by HHS for violations of HIPAA Privacy Rule provisions – Massachusetts General Hospital – Settlement with HHS in amount of $1 million (Feb. 2011) • Settlement for alleged violations of HIPAA (paper records lost on subway) Focused on the Business of InsuranceSM
  13. 13. HealthNet - Case Study • May of 2009: Portable computer disk drive with 446,000 private records lost/stolen from HealthNet Connecticut. • November 2009: HealthNet goes public about the breach, notifying the affected individuals and the Attorney General. • January 2010: Connecticut Attorney General files suit against HealthNet alleging: – Improper handling of the breach event – Failure to timely notify affected individuals and AG’s office – 12 violations of HIPAA privacy and security rules Focused on the Business of InsuranceSM
  14. 14. HealthNet - Case Study • OUTCOME: July 7, 2010 HealthNet Settles Suit • HealthNet will pay CT $250,000 in statutory damages and implement a corrective action plan. • If misuse of the data is established, such as actual identity theft, Health Net will pay CT an additional $500,000 in statutory damages. • HealthNet incurred costs of over $7 Mil to forensically investigate, provide notification and credit monitoring… Focused on the Business of InsuranceSM
  15. 15. RECENT HIPAA/HITECH BREACHES • Massachusetts Eye and Ear – September, 2012 • Alaska Department of Health and Human Services – June, 2012 • Phoenix Cardiac Surgery – April, 2012 • Blue Cross Blue Shield of Tennessee – March, 2012 • Health Net Connection—January 2010 Focused on the Business of InsuranceSM
  16. 16. Class Action Claims • Litigation • • • • • • • • Breach guidance Investigation Notification E-discovery Litigation prep Contractual review Defense (MDL?) Plaintiffs Demands • • • • • Fraud reimbursement Credit monitoring Identity monitoring Civil fines and/or penalties Time Focused on the Business of InsuranceSM
  17. 17. Class Action—Tricare September, 2011: Backup tapes containing PHI of 4.9m patients treated at San Antonio military facilities between 1992 and September 7, 2011 stolen from vehicle of Tricare contractor Science Applications International Corp. employee • • PHI—names, addresses, phone numbers, clinical notes, laboratory tests, prescription information, social security numbers • September 14, 2011: Science App. notifies Tricare • September 29, 2011: Tricare begins patients notifications • Tricare did not offer credit monitoring Focused on the Business of InsuranceSM
  18. 18. Tricare, cont’d • October 11, 2011: lawsuit filed, alleging, among other things: • Tricare operations manual requires notification no later than ten days after discovery of breach • Tricare was repeatedly informed of recurring, systemic, and fundamental deficiencies in its information security but failed to effectively respond • Lawsuit seeks an award of $4,900,000,000--$1,000 for each affected individual Focused on the Business of InsuranceSM
  19. 19. Class Action—Sutter Health • October 15-16, 2011: Sutter Health’s administrative offices burglarized, and a desktop PC, among other things, was stolen, containing: • Names, addresses, dates of birth, phone number, and email of 3.3m Sutter Physican Services patients that were treated between 1995 and January, 2011 • Information on medical diagnosis and procedures for 943,000 Sutter Medical Foundation patients treated between 2005 and January, 2011 • October 17, 2011: theft reported to police • November 15, 2011: Sutter Health began notifying affected individuals • November 16, 2011: first lawsuit filed; twelve filed thus far Focused on the Business of InsuranceSM
  20. 20. So What Else Keeps HIPAA Privacy Officers Up at Night? • Employee Clinics • Cloud Computing • Social Media Challenges • Encryption of Portable Devices and Tracking—Where is the PHI? Focused on the Business of InsuranceSM
  21. 21. Questions? Kimberly B. Holmes, Esq. (860) 408-2017 Christopher Keegan (212) 915-8276 John F. Mullen, Esq. (215) 358-5154 Focused on the Business of InsuranceSM