3 Considerations for Evaluating Data Breach Insurance Policies

In 2011, 419 data breaches were publicly disclosed exposing a total of 22.9 million records, according to a study from the Identity Theft Resource Center. One of the reasons data breaches are so prevalent is because healthcare data increasingly exists in a less stable environment. The push to digitize, the outsourcing of data processing to cloud providers and the increase in mobile devices to conduct business has all contributed. The result has been a substantial increase in the visibility of the breaches and the costs associated with these incidents.

According to Doug Pollack, chief strategy officer at ID Experts, a provider of comprehensive data breach solutions, the last 18 months has seen a huge shift in hospitals looking to hedge the risks of data breaches by purchasing data breach insurance. This insurance is also known as cyber liability insurance or cyber risk insurance and has been around for about ten years. However, over the past few years, the interest has increased, says Christine Marciano, president of Cyber Data Risk Managers, an independent insurance agency specializing in data privacy and cyber liability risk. Although the coverage itself is not entirely new, changes in federal regulations and the onslaught of health information technology have brought the coverage and its implications to the forefront of industry issues. As John Correlli, ESQ, CIPP, privacy advisor and breach coach at JMC Privacy Consulting Group, recalls, "One industry professional termed it the 'wild west of coverage.'"

Like any insurance plan, the terms and costs of the policy depend on the healthcare organization and its needs as well as the insurance company itself. There are 30 different insurance companies offering cyber risk insurance, such as Wells Fargo Insurance Services, S.H. Smith & Company, Kiln Group and INSUREtrust. All the companies vary in the coverage they offer. The insurance is on a policy-by-policy basis right now, according to Ms. Marciano.

Despite variations, cyber liability insurance focuses mainly on mitigating legal liabilities that result from breach events. It pays for a healthcare organization to carefully evaluate its options to understand the policy they are purchasing. The following three considerations are important for hospital and health system officials when evaluating insurance carriers and policies.

1. Coverage, sub-limit options

The type of coverage in a data breach insurance policy directly correlates with the types of cost or exposure that a data breach causes. "Considering the potential exposure [for a hospital] gives an insurance company a cost point from which to base premiums, deductibles and limits for the coverage," says Mr. Pollack. There are three types of exposure: regulatory fines and penalties, class action lawsuits and response costs. All three may be covered differently depending on the insurance carrier. Hospitals can negotiate a total limit for their coverage but they may also be able to negotiate sub-limits for each type of exposure. Hospitals need to understand the coverage available for each exposure and look at not only the overarching limit but the sub-limits as well.

According to Ms. Marciano, most hospitals and health systems are looking for comprehensive coverage because they look to cover themselves for large debilitating data breaches. However, coverage for regulatory fines and response costs, such as call centers and credit monitoring, is the most popular among the options.

Regulatory fines, penalties
According to Ms. Marciano, if allowed by law, many data breach insurance plans will cover "privacy regulatory defensive penalties, including penalties or sanctions imposed by a federal, state or local regulatory body." In the investigation that follows a data breach, the HHS' Office of Civil Rights may determine neglect or a HIPAA violation by the healthcare organization was the cause. If so, the organization incurs a fine. As long as the law allows, an insurance plan can cover federal fines that may be assigned after a data breach, typically up to a certain limit, according to Ms. Marciano. For instance, if the limit is $500,000 for regulatory defensive penalties and the penalty is $1 million, the hospital would then have to pay the remaining $500,000.

Under the HITECH Act, there are four categories of violations that reflect culpability and four corresponding tiers of penalty amounts. The first tier is $100 for each violation and a total amount imposed in one calendar year for an identical violation may not exceed $25,000. The following tiers have the same limitations but the costs increase. The second tier is $1,000 for each violation and the total amount cannot be greater than $100,000. The third tier is $10,000 for each violation and the total cannot exceed $250,000. The fourth tier is $50,000 for each violation and the total may not exceed $1.5 million.

In July 2011, the University of California at Los Angeles Health System received a fine of $865,500 after complaints came from patients about unauthorized individuals viewing their records. In February of 2011, Cignet Health in Temple Hills, Md., received the first civil money penalty of $4.3 million for violating a HIPAA rule. Cignet had denied 41 patients their records, which made up $1.3 million of the fine. The other $3 million came from Cignet Health's failure to cooperate with HHS' investigation.

Claims, lawsuits

Similar to regulatory fines or penalties, a hospital's data breach insurance may cover claims or lawsuit costs up to an agreed upon sub-limit. When the data breach causes harm to individuals or the information breached was sensitive, lawsuits typically follow. It is up to the hospital to negotiate its limit for class action litigation. "If four million individuals are part of a lawsuit and the court decides they all deserve $100, that can become a very pricey class action," says Mr. Correlli. For this reason, the coverage for lawsuits and claims may be more difficult to determine.

Response costs
The amount of coverage an insurance company provides varies the most with response costs because it is the most complicated. Response costs may include forensic analysis, data breach coaches, notification and communication to affected individuals and identity and monitoring services. Some insurance carriers may cover all the response cost options, offer the hospital a choice among several or only cover a few. According to Ms. Marciano, a hospital can negotiate a policy for all response costs or coverage within just a few of the subareas. It is important for hospital officials to determine how they would like to respond to a data breach so they can find a policy that works best. The following three response costs are the most commonly covered in cyber liability insurance policies.

1. Forensic analysis. Some insurance companies may cover the forensic analysis required by law to determine what caused a data breach. Although HHS and the state government may conduct their own investigation, the hospital is expected to participate. The hospital needs to hire a forensic investigator to determine how the info was accessed. This may be a data breach coach or a privacy attorney, says Ms. Marciano. The data breach coach may also stay through the entire data breach response process and guide the hospital.

2. Notification and communication costs. Beyond notifying regulatory authorities, hospitals are required to notify all affected and potentially affected individuals. Whether an insurance plan will cover all the possibilities for notification and communication depends on the carrier. Many states require notification be sent through the mail. The notification of affected individuals can become more costly than just postage for letters. If enough individuals were victimized, the hospital may need to set up and staff a hotline or call center. Sometimes a website is built so that individuals can look up whether they were victimized and find resources to deal with potential consequences. "If there were 1,000 victims the price of the call center may be small but if there were one million victims, it could be quite substantial," says Mr. Correlli.

3. Credit, identity monitoring.
Cyber liability insurance may cover the identity protection that a hospital offers affected individuals. "Hospitals are increasingly offering recovery services for individuals to avoid healthcare fraud and identity theft," says Mr. Pollack. "Hospitals want this to be covered by the insurance policy because the price of a full year of identity monitoring for each data breach victim can rise quickly." According to Mr. Pollack, some insurance policies cover credit monitoring for affected individuals but not broader identity or healthcare monitoring. "If your have very sensitive diagnostic data, you may want a more comprehensive policy that offers medical monitoring and other types or remedial capabilities," says Mr. Pollack. "Some policies may be more flexible than others."

2. Premiums and deductibles

Beyond negotiating the coverage and the vendor choice, hospitals and health systems need to understand what options are available for data breach insurance in terms of limits, deductibles and premiums. These elements are important because a hospital could suffer multiple small breaches in a year or incur a large debilitating breach. Two major factors determine the premium and the deductible on a hospital or health system's cyber liability coverage: the existing security measures and hospital revenue.

Existing security measures

Security and privacy controls are very important for hospitals. Not only do they safeguard the data to minimize the risk of a data breach, but also they can dictate data breach insurance premiums. "The more privacy controls [the hospital] has and the more security monitoring they conduct, the more favorable the premium," says Ms. Marciano.

Security measures are important for another reason as well. Compared to other forms of insurance, data breach insurance does not deal with exceptions. According to Ms. Marciano, as long as the hospital or health system was enacting the proper data and security protections — no matter what caused the data breach — the data breach response costs will be covered. "With healthcare, the claims are typically honored," says Ms. Marciano. "That is because [hospitals and health systems] enact the required security risks."

Hospital revenue
According to Ms. Marciano, hospital revenue plays a bigger role in determining premiums and deductibles. This is because the revenue most often directly correlates with medical records — higher revenue may mean more medical records. A health system, with revenue in the upper millions, may be fully integrated with an EHR system whereas a smaller community hospital may have a less integrated EHR system. For this reason, a large, highly integrated hospital may be more at risk for a large enterprise-wide data breach and would need a deductible and premium to reflect that.

A hospital with $170 million in revenue could have a $50,000 deductible for one million dollars in coverage, says Ms. Marciano. The annual premium would be $25,000 to $30,000. Another small hospital with $350 million in revenue could have the same coverage limits but pay an annual premium of $45,000 to $50,000. "These are both small hospitals but the difference in premiums despite the similar coverage limit and deductible gives you an idea of how a higher risk hospital would pay more in premiums," says Ms. Marciano.

"Overall, the premiums and deductibles depend on how much the hospital wants to insure themselves for — how large it would like its total coverage limit to be," says Mr. Pollack. For instance, if a hospital has a $2 million deductible and they have many small data breaches, the costs would all be out of pocket. "Officials have to decide if they want to set the deductible to cover the hospital's small data breaches or the potential for a larger data breach," says Mr. Pollack.

3. Vendor options

Just as there are many options for covering response costs, there are many different vendors and companies to guide the response process. If a hospital uses a vendor for their data security tools, they may want to use the same vendor to mitigate a data breach. However, some insurance carriers may prefer to dictate the vendor a hospital uses. A hospital needs to know what they will prefer before they select an insurance company.

"If a vendor list is open the insurance company will recommend a certain vendor for data breach coaching, for forensic analysis, for call center set up etc.," says Ms. Marciano. "If the vendor is not on the insurance company's list, it would need to be preapproved. Some may allow a hospital to choose their own vendor and others may not, it really depends on the carrier," says Ms. Marciano.

If a hospital wants to use an internal data response team to set up the notifications and communication to affected individuals, it will need to negotiate that with the hospital. Mr. Correlli recommends that hospitals who want to use their own team, or that want the freedom to choose their own vendors, look for a flexible insurance plan. "The hospital needs to decide how much response they would like to initiate independently and how much it would like the insurance company to do. Then the hospital needs to decide whether or not it would like a say in the choice of vendors," says Mr. Correlli. "The choice to use an internal team or to rely on the insurance company's vendors may affect the cost of the premium and the cost of the deductible."

Mr. Pollack agrees, "A major implication in choosing cyber liability insurance is the level of flexibility the hospital has in tailoring its response after an incident. This may sound like a no-brainer, but in the case of cyber risk insurance, the hospital needs to look into the detail of the policy."

Cyber risk insurance is a relatively new type of insurance and policy offerings can vary widely. Policies can also be costly. It makes good sense to evaluate data breach risks, identify vulnerabilities and then shop wisely for a policy that meets the hospital or health systems needs. Cyber risk insurance is not a substitute for implementing good data protection and it does not cover all expenses such as diminished reputation or patient loyalty. However, knowing what is available and how to evaluate the policies is a good place to start.

More Articles on Data Breaches:

HIMSS: Increased HIPAA Compliance Has Yet to Increase Data Security
8 Recent Data Breaches
South Carolina Medicare, Medicaid Breach Affects 228K, Former HHS Employee Arrested

Copyright © 2024 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.


Featured Whitepapers

Featured Webinars