With the reach and capabilities afforded by today's business technology comes inherent, but often unforeseen, risk. Business in all industries that aggregate and maintain third-party data are particular targets of information theft and network security breaches.
In the health care industry, where patient data is regularly transferred among multiple organizations, mitigating the risk of data loss and an organization's cyber liability is paramount. The following are real-life examples that highlight what can happen if precautions aren't taken to protect hospitals.
Man sues hospital system over security lapse
An Indiana man has sued a hospital system over a security lapse that might have exposed the private information of more than 260,000 patients. The gentleman claimed in his federal lawsuit that the hospital and its contractor violated federal HIPAA privacy laws and failed "to take reasonable corrective action," such as promptly notifying patients of the breach. Damages were sought, including no less than $5,000 for each affected class member.
Hackers break into hospital computer system
A children's hospital had to notify about 240,000 patients that someone hacked into its computer system and gained access to sensitive information, including Social Security numbers and bank account records. While the computer breach happened over Labor Day weekend, the hospital didn't alert the FBI until mid-October, and didn't start notifying patients until the end of October.
Personal patient information posted on Internet
A hospital in Concord fired a Washington-based company that it said managed its online billing system and left the personal information of more than 9,000 patients unprotected on the Internet for more than a month. The company accidentally posted the patients' names, addresses, birthdates and Social Security numbers on the Web when a computer security system was disabled for maintenance but never replaced, the hospital said. It took the company more than a month to notice the problem and report it to the hospital.
Such cases have forced hospitals to consider protecting themselves against potential security breaches. A number of hospital systems are now placing insurance coverage for these exposures. Insurance coverages include:
¥ Coverage for customer notification expenses to warn customers or patients of security breaches (as required under law by a growing number of states)
¥ Coverage available for loss including fines and penalties arising out of HIPAA, CA 1386, and other privacy or consumer protection errors
¥ Enterprise data privacy
¥ Errors and omissions coverage for delivery of technology professional services
¥ Network Security protection and unauthorized access, including rogue employee coverage
¥ Coverage for a breach of an insured's privacy statement
¥ Malicious code, cyber-attacks and inadvertent transmission of viruses
Insurance coverage may not necessarily be the best solution for these exposures, but we believe it is prudent to evaluate how your organization is handling these IT issues and at least obtain quotations for coverage.
Insurance professionals that specialize in the health care industry understand the financial risks for hospitals and the appropriate insurance to address these risks. A knowledgeable broker will work in conjunction with a hospital's risk management team to set guidelines to reduce risk and lay out the necessary steps to mitigate claims, enabling hospitals to focus on caring for and protecting their patients.
Buchanan is principal and Healthcare Practice Group leader at Barney & Barney.