Cyber Liability

To help in understanding a cyber policy, here are some Claims Examples (hover over to view).

Damaged Computer Server

A damaged server containing personal information of employees and patients prevented a physician from effectively operating his practice. Under the NAS cyber policy's Network Asset Protection agreement, the physician was able to receive reimbursement for IT-related expenses to rebuild and restore the server, as well as personnel time to recreate the electronic records.

Claims paid: $45,000

Source: NAS Claims Dept., 2013

Online posting of unauthorized photos

A physician posted unauthorized photos of several patients on her website that were identifiable by name. There have been 15 invasion of privacy actions against the physician to-date, with several settling in the range of $150K per plaintiff.

Additional legal expenses incurred: $50,000

Source: NAS Claims Dept., 2013

Employee stole patient identities and credit card information

An employee of a doctor stole the identities of multiple patients and made credit card purchases with the stolen information. The doctor became aware of the breach when the employee was arrested. Local and federal law enforcement later advised the doctor that the identities of 5 patients, and approximately $10,000, had been stolen by this employee. Two of the patients filed a lawsuit against the doctor in connection with the identity theft. The patients alleged that the doctor failed to prevent the unauthorized access of their credit card information. The patients sought compensatory damages and emotional distress damages.

Defense Costs: $25,000
Settlement: $20,000

Source: NAS Claims Dept., 2013

Stolen physician's laptop

A physician suffered a burglary at his residence and his work laptop was stolen. The laptop had his entire 15 doctor medical group's patient database on it comprising 57,000 records. Unfortunately, the laptop was not encrypted. Legal counsel was appointed to determine notification requirements and manage the response process. Counsel worked with the Insured's IT department to determine that there were 37,000 unique identities on the laptop. The medical group was also required to publish a notice of the breach on their website and in the local media. Additionally, the group was required to notify the Office of Civil Rights of the breach, which led to a Department of Health and Human Services investigation. The Office of Civil Rights required a complete submission from the medical group outlining how they were in compliance with the various provisions of HIPAA. Counsel worked with the medical group to show proof of strong privacy controls and training procedures resulting in the DHHS closing its investigation.

Total expenses: $44,000

 

Coverage definition

Coverage can provide 1st Party Cyber Liability (This policy covers the expenses related to responding to a data breach, such as notifying patients about the breach and paying HIPAA fines.) and/or 3rd Party Cyber Liability. This policy is designed for businesses that build and maintain technological systems that store and manage health data. If your business has a hand in creating or managing health record software, you can be held liable when that system is breached and sensitive information is exposed.

 
 

Cyber Liability

What is cyber liability?

A cyber liability policy covers both Third-Party Liability and First Party Coverages.

Third-Party Coverages deals with businesses that build and maintain technological systems that store and manage health data. If your business has a hand in creating or maintaining health record software, you can be held liable when that system is breached and sensitive information is exposed:

First-Party Coverages deal with responding to the data breach and paying HIPAA fines:

If you have any questions, please give our Medical Malpractice Division a call.

Contact Form