Why Your Healthcare Organization Should Understand Its Cyber Liability Coverages — and Limitations
Cyber-attacks are a top concern for healthcare organizations nationwide, especially ransomware and data security breaches that compromise private patient information (PPI) and other sensitive data.
LHA Trust Funds members have cyber limits of $100,000/$100,000 included in their professional liability insurance policies to cover costs that may incur resulting from a system breach. Coverage is also provided for liability to others from allegations resulting from negligence, including defense costs, in specific situations.
However, cyber liability policies are very complex, include many exclusions and carefully define coverage triggers. As a result, the allegations and facts surrounding an actual event determine if coverage applies to a given situation.
The following cyber liability claim examples illustrate different ways your cyber liability coverage can safeguard against potential claims — and why your organization must understand your existing coverage benefits and limitations.
HIPAA vs. Breach of Privacy
A healthcare facility employee working in the emergency room improperly accessed the electronic healthcare records of a patient. The employee and the patient — both women — had a relationship with the same man.
The facility confirmed that the employee had indeed accessed the records without authorization and verified that personal information that could only be gleaned from those healthcare records was relayed to third parties outside of the work environment.
A copy of a lawsuit filed in city court was the initial notice of a claim to the LHA Trust Funds office. The lawsuit alleged a HIPAA violation and a general tort claim of “breach of privacy.” Federal HIPAA laws do not extend a private cause of action to victims. They allow only the awarding of penalties, fines, and attorney fees. In this case, the plaintiff’s cause of action arises solely under Louisiana law.
The unauthorized disclosure of medical information by a healthcare provider to a third person “may give rise to causes of action for breach of a statutory privilege, for invasion of privacy or for a breach of contract.” See Leger v. Spurlock, 589 So. 2d 40, 42 October 13, 2022 (La. App. 1st Cir. 1991).1
The action can also be an intentional tort. The healthcare facility’s liability for its employee’s conduct arises under the doctrine of respondeat superior, or vicarious liability.
The Cyber Liability coverage agreement states, in part, under Coverage B, that:
“…we will pay damages which you or a Protected Person becomes legally obligated to pay…resulting from a claim for an actual or alleged security and privacy wrongful act.”
In this particular case, the healthcare facility’s cyber liability coverage was triggered by the security breach.
The plaintiff had not retained legal counsel, filing the suit herself and making a settlement demand of $25,000. The plaintiff agreed to a nominal settlement of $4,000 once it was verified that she had not received any medical or psychological treatment to substantiate damages sustained because of the breach.
Since there was a clear liability, it would have cost much more than the settlement amount to go to trial.
Cyber Extortion vs. Cybercrime
A healthcare facility notified LHA Trust Funds of a financial fraud that had occurred via their computer network. A bad actor posing as a healthcare vendor sent fraudulent payment instructions through email, and the healthcare facility sent a payment of more than $100,000 to the fraudulent bank account.
The healthcare facility’s bank was unable to reverse the funds.
The standard/primary cyber coverage provided by LHA Trust Funds through its association with Tokio Marine Insurance Company provides coverage for Cyber Extortion and Cyber Terrorism. Those two terms relate to specific crimes that are specifically defined in the coverage agreement and did not apply to the circumstances of this claim.
Cyber Extortion is defined as “a credible threat or series of related credible threats, including but not limited to a demand for cyber extortion monies, directed at you.”
An act of cyber terrorism includes “the use of information technology to organize and execute large-scale attacks against computer systems, networks and/or public internet, resulting in disabling and/or deleting critical infrastructure, data or information.”
In this case, the cyber carrier’s denial of coverage stated that “the matter submitted for our review constitutes a more general cybercrime event and as such there is no coverage.” Most facilities will have a separate crime policy and should confirm with their carrier that coverage for cybercrime is included.
LHA Trust Fund participants should be aware that Tokio Marine offers various layers of excess coverage that provide broader coverage for cybercrimes such as the fraudulent acts of this subject claim.
Report Cyber Claims Early
Cyber claims should be reported as soon as a potential breach is known. A late report can result in a potential coverage denial by your cyber carrier.
Any claim made for potential cyber coverage should be submitted in writing (email is acceptable notice) to Mike Walsh, Director of Claims, or to Jamie Lamb, Director of Claim Operations.
Brush Up On Your Cyber Liability Coverage
LHA Trust Funds offers a variety of comprehensive coverage solutions to fit your unique needs. Cyber liability coverage can be complex, so understanding what your current coverage provides, what the limitations are, and the requirements of your healthcare facility is vital.
To discuss your cyber liability coverage or obtain an estimate on the cost of higher limits, please contact us here.
___
Because cybersecurity risks are constantly evolving, we want our LHA Trust Funds members to be as knowledgeable and prepared as possible. Search our Cyber Liability & Risk Toolkit for the latest information regarding cyber liability risks.