In a recent article entitled, “Your Medical Record is Worth More to Hackers than Your Credit Card Security,” Reuters reported cyber criminals are increasingly targeting the U.S. health care industry. According to the article, the increase in data breaches is due in large part to companies in the health care industry using outdated computer systems that are not equipped with the latest security features, such as encryption. The transition to electronic medical records by many health care providers is exacerbating the problem as more information becomes vulnerable to electronic theft. According to the Ponemon Institute, the percentage of health care organizations that have reported a cyber attack has increased from 20 percent in 2009 to 40 percent in 2013.
Criminals’ methods for making money are becoming increasingly more sophisticated. Hackers are now stealing medical information and selling personal data for medical fraud. As pointed out in the Reuters article, medical information is worth 10 times more than credit card numbers on the black market. The type of data criminals are after includes names, birth dates, policy numbers, diagnosis codes, and billing information. This information allows them to create fake IDs to purchase medical supplies, purchase drugs for resale, and file false claims. Further compounding the problem is that medical identity theft is often not identified as quickly by victims as the theft of other personal information such as credit card numbers.
The liability organizations may face for breaches of personally identifiable health information, which could include regulatory fines and penalties by the Office of Civil Rights, the Department of Labor or States Attorneys General, among others, could be covered under a Cyber Liability Insurance Policy.
Here’s a high-level look at what these policies cover:
- Information security and privacy liability for failure to protect patients or company information held on computers systems, smartphones, laptops, or even paper files
- Cost to notify affected individuals that their personal information has been breached, as required by HIPAA and HITECH
- Cost to provide credit monitoring services for affected individuals
- Public relations and investigative costs
- Personal injury (such as libel) that may result from the use of blogs on your website or other social media
- Costs associated with fines for not adequately gathering and storing information that could possibly be used to harm an individual
Many health care companies assume these exposures are covered under one of their other insurance policies, but traditional insurance policies were not designed to cover these types of liabilities and a growing number of insurers are adding cyber liability exclusions to General Liability policies, Crime policies, and other insurance policies. While some carriers might offer you an endorsement to provide coverage for a specific component of your cyber liability exposure, it is usually not as comprehensive as buying a separate policy.
Health care companies should consider upgrading computer systems and implementing greater controls for protecting electronic medical records from hackers in addition to purchasing a Cyber Liability insurance policy. Cyber Liability insurance is a coverage that many companies in the health care industry have traditionally over looked, but given the increase in cyber attacks on the industry it’s important, now more than ever to seriously consider adding this coverage as a component of your risk management program.
Philadelphia, PA, 19102