Enhanced Cyber Liability coverage

Patient data breach caused by a staff member error

• A staff member at a small medical group received a call from a patient requesting a blank medical records release form. The staff member intended to email the form to the patient, but inadvertently attached a list of 75,000 dormant patient accounts, including names, dates of birth, and chart numbers. The patient alerted the group to the error and promised to destroy the information. Breach counsel was immediately retained to assist with the breach response plan. A public relations (PR) firm was also retained to help draft a media notice because the group was in a very small town and thousands of the the affected individuals still resided in the area. Counsel also engaged an IT forensic investigation firm to determine if the patient list had been properly destroyed by the recipient. Cyber liability insurance covered the group’s legal expenses and costs to notify local media, the OCR/DHHS, and affected individuals, as well as PR expenses, IT forensic expenses, and the costs to provide credit monitoring to affected individuals. The claim totaled $128,000.

Health care records found on a public internet forum

• A health care facility received an anonymous phone call from a web developer who found electronic health information of several patients on 4chan, a public internet forum. A forensic investigation determined that the facility’s system had been breached several months earlier, and the electronic health information had been accessible on 4chan for some time. Also, it appeared that the information had been downloaded several times outside the US. Approximately 8,700 individuals were impacted by the breach. Due to the size of the breach, the facility also notified local media and the OCR/DHHS. The OCR/DHHS responded by filing a formal complaint against the facility for violations of the HIPAA Privacy and Security Rules. Cyber liability insurance covered the facility’s legal and PR expenses, notification costs, the costs to provide credit monitoring to affected individuals, the costs to set up a call center to handle patient inquiries, and defense fees relating to the OCR proceeding. The claim totaled over $270,000.

Clinic experiences a ransomware attack

• A pediatric clinic fell victim to a ransomware attack, in which more than 100 computers were affected. The computers contained confidential patient information, which may have been compromised during the breach. The clinic did not pay the ransom and instead focused its efforts on reconfiguring the impacted computers and restoring the lost data from a backup. However, the clinic soon discovered that back ups were never properly executed or stored. Breach counsel determined that the incident was a breach under HIPAA Rules, requiring notification to all patients of the clinic because it could not be determined exactly how many patient records were compromised by the breach. Cyber liability insurance covered the breach notification costs, which totaled approximately $140,000.