One of the nation’s largest pediatric health care providers, Children’s Health in Dallas, was recently forced to pay $3.2 million in federal penalties as a result of breaches in its data.
The government imposed the penalties despite the fact that no patients nor their families were affected by the loss of data.
The penalties arose after a smartphone containing unencrypted patient information for 3,800 individuals was lost at the Dallas-Fort Worth International Airport in 2009. The fines also stemmed from a 2013 theft at the hospital of an unencrypted laptop containing information for almost 2,500 patients.
Why did the government feel it had to exact its pound of flesh, when no one was hurt by the crimes?
Very simply, it found the hospital liable in the “impermissible disclosure of unsecured” health information.
“Ensuring adequate security precautions to protect health information, including identifying any security risks and immediately correcting them, is essential,” the U.S. Department of Health and Human Services’ Office for Civil Rights said.
“Although OCR prefers to settle cases and assist entities in implementing corrective action plans, a lack of risk management not only costs individuals the security of their data, but it can also cost covered entities a sizable fine,” the agency said.
In other words, the lack of adequate precautions alone was sufficient to warrant the sanctions.
This sort of thing, unfortunately, is happening to health care providers of all types and sizes.
Cyber criminals know that hospitals, home-health firms, hospices and others in the health care business collect and store all kinds of personal data from their patients – including Social Security and credit card numbers and insurance information.
Accenture, the big consultant firm, estimated that one in 13 patients will have their personal information hacked and stolen within the next five years.
The cost of this for U.S. health systems alone? More than $300 billion, according to Accenture.
The out-of-pocket costs for victims, meanwhile, will total nearly $56 billion.
Accenture’s report noted that many organizations are not well prepared to deal with the inevitability of a significant data breach.
The good news in all of this is that, along with using encryption and putting into place a few key safeguards, a cyber-insurance policy can help protect health care businesses from the fallout.
What Cyber Liability Covers
Some business insurance policies, such as a Business Owners Policy, or BOP, include coverage for certain types of cyber incidents. For example, if you lose electronic data because of a computer virus or hardware failure, your insurance may pay recovery or replacement costs.
The problem is that general liability policies don’t cover economic loss. Property insurance will pay for damage to tangible property, not data that is lost. And a crime policy won’t provide coverage for lost client data.
This is why health care companies need a standalone cyber policy to address the full range of cyber risks. These policies include coverage for:
- loss or corruption of data;
- business interruption;
- credit monitoring and identify theft repair for victims of the breach;
- cyber extortion.
The more robust policies also include access to a team of specialists in law, public relations, cybersecurity, and computer forensics.
Best of all, insurers will require that health care providers put in place extra security measures to qualify for a cyber-liability policy. This can include passcode protections, firewalls, setting limits on how long you store credit card information and more.
It’s a safe bet that Children’s Health had a cyber policy. That means its government fine might have been paid – but only if the insurance company agreed to cover the loss despite the fact that, in leaving the data unencrypted, Children’s had failed to take the required precautions.
Scott Asbury is an Insurance Advisor at CCIG. Reach him at ScottA@thinkccig.com or 720-212-2048.