Imagine this nightmare scenario – you’re a retail insurance broker who specializes in healthcare and one of your clients calls in a panic to say that there has been a data breach in their six-office dermatology practice – a thumb drive was lost or stolen and it contained personal information for 2,200 patients. They’re coming to you for reassurance that they are adequately covered and also asking for guidance on what they need to do – questions like this: “Who can I call for help in dealing with this?” “Do I have insurance?” “What does my insurance cover?” “Who do I notify first – my employees, patients or regulatory agencies?” Unfortunately, that scenario – or one very similar – is very likely to happen. Here are some key reasons why your healthcare client needs cyber liability coverage.
#1 Your client is probably not covered for cyber exposures under their GL policy – typically no coverage or inadequate coverage exists. Most policies exclude exposures (ISO forms; Recording and Distribution of Material Information in Violation of Law Exclusion; Exclusion – Access or Disclosure of Confidential or Personal Information, or similar endorsements). Some PL policies offer breach notification expense in the event of a breach. Often electronic data restoration, data extortion payment, regulatory fines and penalties and first party interruption and loss of data are not covered. Some policies that do provide a limited amount of these coverages are frequently written on indemnification/reimbursement and they do not provide defense or pay on behalf coverage.
#2 Healthcare is the most targeted and the least prepared industry in the U.S. when it comes to cyber attacks. Criminal hacking is now the leading cause of healthcare data breaches. The average cost of a healthcare breach is $363 per record. According to the Office of Civil Rights, there were 253 healthcare breaches in 2015. Each of those breaches affected 500 individuals or more with a combined loss of over 112 million records. Modern Healthcare estimated that 1 in 3 Americans have had their medical records compromised in some way. The average selling price for a medical record is 10 to 20 times that of a U.S. Credit Card number. One survey found it cost an average of $13,500 and 200 hours for victims to rectify the consequences of medical identity theft.
#3 The costs of recovering from a data breach can be devastating without insurance. According to the NetDilligence 2014 Cyber Claims Study – study of 85 claims totaled $62.3M averaging $733,000 per claim. The same study showed that notifying victims that their information had been compromised and providing protective services such as credit monitoring cost an average of $366,000. The cost of legal defense averaged $698,000 and the average settlement cost was $558,000. And six of the claims studied had regulatory costs due to HIPAA violations and settlements averaged $937,000.
#4 Cyber liability insurance can cover more than you might think. Policies are available to cover things like: security and privacy liability – issues arising from the breach – like a patient’s medical history being exposed to the public; data recovery – which includes the cost to restore lost or damaged data; regulatory proceedings – fines and penalties – most prominent in healthcare because all personal information is protected by HIPAA; privacy crisis expense – the cost of cyber security services to help contain the losses of victims; business interruption – covering the cost of lost income because the client has lost access to data and therefore prevents the business from functioning. What can also be included is access to a breach response team – your client will have a team of experts to guide them through the steps they need to take after a breach.
#5 Help with planning and prevention may also come with the policy. Some policies include risk management services. This may include pre-breach planning – help with managing and reducing their cyber risk – tools like risk self-assessments, state by state breach notification laws and data breach cost calculators.
After your healthcare clients are adequately covered for cyber liability, it’s probably a lot easier for you to imagine your response to the call from the terrified client who has just experienced a breach. You can remind them that not only do they have the right coverage, but also expert help in cleaning up the mess at hand.
Here are links to other Ultra blog posts on the subject of cyber liability:
Brokers, did you know Ultra has an exclusive program with binding authority for outpatient medical facilities? Learn more here: Ultra Health Express