USI Insurance Services

Cyber and Privacy Liability for Healthcare Providers

USI Management and Professional Services

2Confidential

Cyber and Privacy Exposures Are Significant Sources of Liability Claims Against Healthcare Providers

Cyber Liability:

1st and 3rd Party risks associated with on-line

activities - Internet, Network and Data Assets

Privacy Liability:

Liability arising out of misuse or improper

disclosure of Personal Data - Social Security Number

or Credit Card)

3Confidential

Errors & Omissions

• Typically excludes a security breach

• Typically tied to/requires an act of negligence to trigger coverage

General Liability

• Excludes damage to and corruption of electronic data

• Covers only “tangible” property

• Personal & advertising liability does not cover violations/misuse of private information

Property Insurance

• Coverage is specific to physical loss or damage to tangible property (named)

• Courts have consistently held that data is not tangible property

Crime Insurance

• Covers loss due to employee theft of money, securities or other property

• Property must be tangible and have intrinsic value

• No coverage for confidential information

The Insurance Gap

Cyber & Privacy Claims are Not Covered under Traditional Insurance Policies

4Confidential

Providers Increasingly Challenged to Manage Expanding Regulations with Limited Budgets and Resources

Health Insurance Portability and Accountability Act (HIPAA): Applies to health care businesses and any employer that provides health care benefits

State Breach Laws: 46 states have enacted legislation requiring security breach notification involving personal information – with no “overarching” Federal law, state statutes control.

Health Insurance Portability and Accountability Act (HIPAA): Applies to health care businesses and any employer that provides health care benefits

Payment Card Industry Data Security Standard (PCI DSS): Worldwide security standard created to prevent credit card fraud

Federal Trade Commission (FTC): 2012-13 most active enforcer; new role similar to the EEOC of the last three years

Fair and Accurate Credit Transactions Act (FACTA): Disposal Rule, passed in 2003, created standards to help reduce identity theft and allows consumers to obtain a free annual credit report

Hi Tech: Applies to certain healthcare facilities and is an expansive amendment to HIPAA

5Confidential

Health records commonly include date of birth, social security number, credit card number and address

Healthcare breaches increased 32% in 2011 over 2010

Providers increasingly utilize hospital, pharmacy, payor and network computer systems to transmit patient information electronically

Lack of employee training in data security and privacy in healthcare

Lax office procedures related to confidential patient information

Increased Cyber and Privacy Liability regulatory challenges:

HIPAA Act (Federal)

HI-TECH (Federal) & PPACA

State laws (e.g., California Confidentiality of Medical Info)

Healthcare Industry Number One Target For Criminal Organizations Looking for Personal Information

6Confidential

*Poneman Institute and Symantec

Average Cost of Data Breach in 2011: $5.5million*

Health system accidently posts medical records of thousands of patients on Internet. Class action suit filed seeks $10 million in damages. OCR notification costs $1+ million with total costs at $20+ million.

May 2012: two physician clinics settled for $100,000 with HHS and OCR regarding HIPAA violations; investigation triggered by public calendar posting of patient appointments.

Small MA hospital settled with State Attorney General for $750,000 on HIPAA violations; hospital shipped three boxes of unencrypted data to third party to be erased; only two boxes arrived at facility.

June 2012: CT Medical Board fined a doctor $20,000 for unauthorized download of patient data.

May 2012: Receptionist at psychological institution found liable for $2 million in ID theft and fraud; ordered to pay approximately $360,000 in restitution. Fines against institution under discussion.

Information no longer resides exclusively on servers: Data has gone mobile, limiting the

effectiveness of firewalls and other controls at even the most advanced firms!

7Confidential

Privacy and Cyber Liability for Healthcare Providers – Increased and Unique Risks I

HIPAA virtually unenforced from 2005 to 2010. Starting with the passage of the Hi-Tech Act, the Dept. of Health and Human Services has stepped up enforcement actions through the Office of Civil Rights (OCR).

Plaintiff Attorney fees have increased as complexity and potential awards have increased. A patchwork of both State and Federal statutes provide multiple actionable causes and there is no sign of abatement.

Beginning September 2012, with rules expanding in January of 2013, TX HB300 expands HIPAA requirements to businesses of all shapes and sizes in Texas, exponentially increasing statutory exposure.

Healthcare Holds or Transmits More Personal Data than Any Other U.S. Business Segment

Bottom Line: Healthcare businesses must begin evaluating their cyber and privacy

liability exposures and consider insurance coverage solutions!

8Confidential

Source: http://datalossdb.org

Hack

FraudSe

StolenLaptop

Web

Disposal_Document

StolenDocument

Unknown

StolenComputer

SnailMail

Email

LostDrive

LostDocument

Virus

StolenDrive

LostMedia

LostMedia

LostTape

LostMobile

DisposalComputer

StolenMobile

MissingLaptop

StolenMedia

MissingMedia

LostLaptop

StolenTape

30%

17%

9%

8%

6%

4%

4%

3%

3%

3%

2%

2%

2%

2%

1%

0%

0%

0%

0%

0%

0%

0%

0%

0%

0%

Almost 50% of Losses Come From Fraud and Hacking

9Confidential

The USI SOLUTION

EXPERIENCE

• Coverage is modular – it is essential to know which coverage fits a specific risk

• Policy language varies from carrier to carrier, no two policies are the same.

EXPERTISE

• Dedicated team of Network Security & Privacy experts

• Experience in the policy features critical to Health Care Providers

MARKET LEVERAGE

• Access to the leading network of insurance carriers

• Ability to creatively tailor coverages to meet the needs of each unique client

10Confidential

Cyber Extortion: Covers costs to investigate, negotiate and settle if credibly threatened or if an extortion demand is received. Wording is essential, as distinction between extortion/terrorism/act of war, etc. is developing.

Data Asset/Data Restoration: Covers data restoration expenses after a covered data breach; this does NOT mean cost of new software/hardware, but restoration to pre-loss condition.

Business Interruption: Covers costs and expenses resulting from a shut down of operations due to a covered data breach; not always included in standard coverage. The “waiting period” for coverage is typically 24 hours. However, this should be discussed, as some organizations (high tech, online services, etc) require a shorter trigger.

Crisis Management: Covers cost to hire a public relations firm to protect brand image and reputation following a breach.

1st Party Coverage Losses Your Company Suffers Directly

11Confidential

3rd Party Coverage Losses Suffered By Your Patients or Clients

Med

ia o

r C

on

ten

t L

iab

ilit

y Covers insured’s economic liability when hackers / unauthorized users access Insured’s systems to inflict damage on others.

Covers unauthorized access, unauthorized use and denial of service attacks, etc.

Pri

vacy L

iab

ilit

y C

overa

ge

an

d B

reach

Resp

on

se Covers defense and damages

related to allegations of insured’s failure to protect private or confidential patient data, whether in electronic or paper forms defense and settlement costs.

Coverage may include following, subject to sub-limits or per-record basis: Notification Expenses Credit Monitoring Event Management Governmental Regulatory Claims

12Confidential

Additional 3rd Party Coverage

Intellectual Property:Responds to loss arising from infringement of trademark,

copyright and other protected sources – typically a SEPARATE POLICY is required to provide more expansive coverage for

patent portfolios

Media or Content Liability:Responds to advertising

injury for losses arising from display of material online and

advertising,

13Confidential

Interested in Learning More?

Toni L Ferrari

Commercial Insurance Executive, Healthcare Practice

Mid-Atlantic Region

Phone: 757 640 5466

Mobile: 757-406-5229

toni.ferrari@usi.biz