Imagine this nightmare scenario – you’re a retail insurance broker who specializes in healthcare and one of your clients calls in a panic to say that there has been a data breach in their six-office dermatology practice – a thumb drive was lost or stolen and it contained personal information for 2,200 patients. They’re coming to you for reassurance that they are adequately covered and also asking for guidance on what they need to do – questions like this: “Who can I call for help in dealing with this?” “Do I have insurance?” “What does my insurance cover?” “Who do I notify first – my employees, patients or regulatory agencies?” Unfortunately, that scenario – or one very similar – is very likely to happen. Here are some key reasons why your healthcare client needs cyber liability coverage.
#1 Your client is probably not covered for cyber exposures under their GL policy – typically no coverage or inadequate coverage exists. Most policies exclude exposures (ISO forms; Recording and Distribution of Material Information in Violation of Law Exclusion; Exclusion – Access or Disclosure of Confidential or Personal Information, or similar endorsements). Some PL policies offer breach notification expense in the event of a breach. Often electronic data restoration, data extortion payment, regulatory fines and penalties and first party interruption and loss of data are not covered. Some policies that do provide a limited amount of these coverages are frequently written on indemnification/reimbursement and they do not provide defense or pay on behalf coverage.
#2 Healthcare is the most targeted and the least prepared industry in the U.S. when it comes to cyber attacks. Criminal hacking is now the leading cause of healthcare data breaches. Healthcare breaches increased 55.1% from 386 in 2019 to 599 in 2020 and the average healthcare firm took 236 days to recover from a breach. Modern Healthcare estimated that 1 in 3 Americans have had their medical records compromised in some way. The average selling price for a medical record is 10 to 20 times that of a U.S. Credit Card number. One survey found it cost an average of $13,500 and 200 hours for victims to rectify the consequences of medical identity theft.
#3 The costs of recovering from a data breach can be devastating without insurance. A 2021 study by Ponemon showed that in 2020 the cost of a breached record increased 16.3% from $429 to $499. The average medical practice in the US has 2,300 patients making the average data breach cost almost $1.2M. By the end of 2020 security breaches cost the healthcare industry $6 trillion dollars.
#4 Cyber liability insurance can cover more than you might think. Policies are available to cover things like: security and privacy liability – issues arising from the breach – like a patient’s medical history being exposed to the public; data recovery – which includes the cost to restore lost or damaged data; regulatory proceedings – fines and penalties – most prominent in healthcare because all personal information is protected by HIPAA; privacy crisis expense – the cost of cyber security services to help contain the losses of victims; business interruption – covering the cost of lost income because the client has lost access to data and therefore prevents the business from functioning. What can also be included is access to a breach response team – your client will have a team of experts to guide them through the steps they need to take after a breach.
#5 Help with planning and prevention may also come with the policy. Some policies include risk management services. This may include pre-breach planning – help with managing and reducing their cyber risk – tools like risk self-assessments, state by state breach notification laws and data breach cost calculators.
After your healthcare clients are adequately covered for cyber liability, it’s probably a lot easier for you to imagine your response to the call from the terrified client who has just experienced a breach. You can remind them that not only do they have the right coverage, but also expert help in cleaning up the mess at hand.