By Mike Walsh, AIC, CPCU
Liability Claims Manager
This month’s blog series explores cyber liability coverage. LHA Trust Funds provides basic cyber liability coverage of $100,000 at no cost to members through our partnership with Tokio Marine with the option of purchasing higher limits.
Since the word “cyber” refers exclusively to computers and information technology (IT), it is reasonable to assume your cyber coverage only applies to losses caused by ransomware, hacking, and other IT risks.
Fortunately, that is not the case. Privacy-confidentiality and/or HIPAA violations are fairly commonplace non-electronic risks that may be included in your cyber coverage.
Security and Privacy Wrongful Acts
The Cyber Liability coverage agreement states, in part, under Coverage B, that:
|“…we will pay damages which you or a Protected Person becomes legally obligated to pay…resulting from a claim for an actual or alleged security and privacy wrongful act.”|
Furthermore, under the Definitions section of the cyber coverage agreement, the security and privacy wrongful act includes privacy breaches. A privacy breach is defined as:
|“Any of the below, whether actual or alleged, but only if committed or allegedly committed by you or by others acting on your behalf for whom you are legally responsible, including BPO (Business Process Outsourcing) service providers and outsourced IT service providers:|
As defined by the coverage agreement, damages do not include fines, sanctions or penalties, but would include any general damages for psychological or emotional distress allegedly caused by the privacy breach.
Cyber Coverage Claims
Here are just a few examples of actual claims that cyber coverage has accepted due to potential privacy/HIPAA violations:
- A nurse at a clinic recognized a patient as her sister-in-law’s boyfriend. She checked the chart and saw that he was being treated for a sexually transmitted disease. The nurse then texted that information to the sister-in-law.
- A hospital employee in the Health Information Management office, at her father-in-law’s request, looked at the chart of a patient who was applying for a job at the father-in-law’s company. It was alleged that, based on the medical information the employee provided, the plaintiff did not get the job.
- An emergency room employee shot a brief video with her phone of a very intoxicated patient and forwarded it to several people. One of the video recipients knew the patient.
- A hospital notified a patient that an employee had improperly reviewed the patient’s chart. The patient alleged that the hospital waited three months before notifying the patient, resulting in an unreasonable amount of time for personal information to be disseminated in a small community.
Any claim or even a potential claim that involves an invasion of privacy and/or breach of confidentiality should be reported to LHA Trust Funds. We will, in turn, put Tokio Marine on notice under the cyber coverage.
It is important, under the language of the cyber coverage agreement, that claims or potential claims be both made and reported during the coverage period. Do not delay. When in doubt, err on the side of caution and report the issue to our office as soon as possible.
Questions? Do you need to report an incident? Please contact Liability Claims Manager Mike Walsh at (225) 368-3815 or firstname.lastname@example.org.
Because cybersecurity risks are constantly evolving, we want our LHA Trust Funds members to be as knowledgeable and prepared as possible. Search our Cyber Liability & Risk Toolkit for the latest information regarding cyber liability risks.