Damaged Computer Server

A damaged server containing personal information of employees and patients prevented a physician from effectively operating his practice. Under the NAS cyber policy's Network Asset Protection agreement, the physician was able to receive reimbursement for IT-related expenses to rebuild and restore the server, as well as personnel time to recreate the electronic records.

Source: NAS Claims Dept., 2013

Online posting of unauthorized photos

A physician posted unauthorized photos of several patients on her website that were identifiable by name. There have been 15 invasion of privacy actions against the physician to-date, with several settling in the range of $150K per plaintiff.

Additional legal expenses incurred: $50,000

Source: NAS Claims Dept., 2013

Employee stole patient identities and credit card information

An employee of a doctor stole the identities of multiple patients and made credit card purchases with the stolen information. The doctor became aware of the breach when the employee was arrested. Local and federal law enforcement later advised the doctor that the identities of 5 patients, and approximately $10,000, had been stolen by this employee. Two of the patients filed a lawsuit against the doctor in connection with the identity theft. The patients alleged that the doctor failed to prevent the unauthorized access of their credit card information. The patients sought compensatory damages and emotional distress damages.

Defense Costs: $25,000
Settlement: $20,000

Source: NAS Claims Dept., 2013

Stolen physician's laptop

A physician suffered a burglary at his residence and his work laptop was stolen. The laptop had his entire 15 doctor medical group's patient database on it comprising 57,000 records. Unfortunately, the laptop was not encrypted. Legal counsel was appointed to determine notification requirements and manage the response process. Counsel worked with the Insured's IT department to determine that there were 37,000 unique identities on the laptop. The medical group was also required to publish a notice of the breach on their website and in the local media. Additionally, the group was required to notify the Office of Civil Rights of the breach, which led to a Department of Health and Human Services investigation. The Office of Civil Rights required a complete submission from the medical group outlining how they were in compliance with the various provisions of HIPAA. Counsel worked with the medical group to show proof of strong privacy controls and training procedures resulting in the DHHS closing its investigation.

Total expenses: $44,000

Coverage definition

Coverage can provide 1st Party Cyber Liability (This policy covers the expenses related to responding to a data breach, such as notifying patients about the breach and paying HIPAA fines.) and/or 3rd Party Cyber Liability. This policy is designed for businesses that build and maintain technological systems that store and manage health data. If your business has a hand in creating or managing health record software, you can be held liable when that system is breached and sensitive information is exposed.

Cyber Liability

What is cyber liability?

A cyber liability policy covers both Third-Party Liability and First Party Coverages.

Third-Party Coverages deals with businesses that build and maintain technological systems that store and manage health data. If your business has a hand in creating or maintaining health record software, you can be held liable when that system is breached and sensitive information is exposed:

Security - Failure of a network and information security to prevent the transmission of computer viruses or the penetration of a hacker.
Privacy - Failure to protect private or confidential information.
Media/Content - Libel, slander, and other forms of disparagement with respect to display or material online as well as infringement of a copyright by your website content.
Regulatory Actions

First-Party Coverages deal with responding to the data breach and paying HIPAA fines:

Business Interruption - Interruptions in business due to breaches of a practice's network (e.g. denial of service attack)
Crisis Management - Expense of retaining a public relations firm to help mitigate damage to the insured's reputation and brand image (typically sub-limited).
Extortion/Threat Expenses - Costs to investigate, negotiate, and settle threats made against the insured related to intentional computer attacks
Privacy - Expenses for breach response services such as notification, credit monitoring, and identity-credit repair.

If you have any questions, please give our Medical Malpractice Division a call.