With the recent ransomware attack that happened across Europe and England last week, we thought it wise to publish some misconceptions that are common in the medical community regarding cyber security and data breaches.

Data Privacy and Network Security is only a problem for large companies. While we are only made aware of large security breaches affecting big companies, data privacy and network security is a concern for any size of organization especially healthcare organizations.

Ransomware recently infected a local medical group. Ransomware typically reproduces itself as a trojan, whose payload (in computer security terms, payload refers to the part of malware which performs a malicious action) is disguised as a seemingly legitimate file. The malware encrypts the targeted computer’s files and then will reveal a ransomware note and an address belonging to the extortionist that seeks the ransom. The inability to access the files and system paralyzes the organization making it difficult or impossible to function until the ransom is paid and the malware author gives the decryption key.

We can afford to self-insure the risk. This is a common misconception. With greater demands and limited budgets some companies believe mistakenly that if something happens they can cover it. The average cost for a breach in 2013 was $733,000, according to NetDiligence Annual Claims study. Recently in 2015, IBM and Ponemon, reported the average total cost of a data breach for the participating companies increased 23 percent since 2013. Incident response expenses, notification, monitoring, investigation, and public relations can add up very quickly.

Insurance coverage is expensive and hard to get. This might have been true years ago, but with increased capacity, claim experience and a larger quantity of buyers, network security and privacy liability insurance coverage is more cost effective and easier for medical groups to obtain.

Our general liability or errors and omission policy will cover us.  General liability insurance typically covers bodily injury and property damage. The courts have consistently ruled that data is not property and is considered intangible. If you don’t carry additional specific coverage for financial injury arising from a failure to protect confidential information, you’re probably exposed. E&O policies might have some limited coverage, but typically do not cover items such as notifications, credit monitoring, etc.

We have vendors who handle our billing and claims. The data owner/originator of the record or information is ultimately responsible for that record or information. A breach at a trusted contractor still triggers notification duty–the risk cannot be transferred to a contractor or vendor. You can sue the contractor/vendor to recoup your losses but that doesn’t handle the immediate need for action.

We’ve helped many medical groups and health plans obtain cyber/privacy coverage. The best option is to purchase a separate cyber/privacy policy that covers you for the items above, and also typically provide coverage for regulatory situations.

Call us. We are happy to answer questions and determine what coverage you need.  (818) 541-7900

Cyber/Privacy Liability Application