Healthcare Data Breaches: Handle with Care November 13, 2012 ID Experts Webinar www.idexpertscorp.com
The material presented in this presentation is not intended to provide legal or other expert advice as to any of the subjects mentioned, but rather is presented for general information only. You should consult knowledgeable legal counsel or other knowledgeable experts as to any legal or technical questions you may have. Further, the insurance discussed is a product summary only. For actual terms and conditions of any insurance product, please refer to the policy. Coverage may not be available in all states. 2
Presenters Jeremy Henley Insurance Solutions, ID Experts jeremy.henley@idexpertscorp.com Anthony Dagostino VP, Professional Risk, ACE Group Anthony.Dagostino@acegroup.com 3
Webinar Agenda Emerging trends in data breach How healthcare data breaches are different Proven strategies to optimize your breach response Privacy liability insurance coverage and benefits 4
Mobile Threats New technologies create new risks Use of multiple mobile devices creates multiple data access points Often unencrypted Increasing use of personal devices (BYOD trend) 5
Outsourcing Risks Economics drives organizations to outsource software & services The cloud introduces new, difficult to control risks Business services, especially outside the US, multiple data exposure risks 6
Root Causes of Data Breaches Top Breach Triggers (number of claims) Human error 20% Hack 20% Lost/stolen laptop 15% Paper 9% Lost/stolen tapes/cds 9% Privacy policy violation 4% Lost/stolen USB 4% Software error 3% Lost/stolen mobile 3% By Type of Organization (number of claims) Hospitals 58% MCO 20% Vendor (billing/tpa/ IT/software) 11% Office/rehab/LTC 10% ACE USA Healthcare Privacy Claim Trends, 2012 7
Healthcare Data Breaches are Different Type of data lost Complexity of rules and regulations Common threats Rigorous enforcement Reputational harm Costs Cyber/privacy insurance 8
Financial Burden of Healthcare Breach First Party Expenses Breach coach/consultant IT forensics firm Legal Compliance with regulations Indemnification rights Notification Call center Public relations/crisis management Credit monitoring/freezing EOB monitoring ID restoration/investigation Third Party Expenses Lawsuits Regulatory violation allegations (HIPAA/HITECH) Patient claims (emotional distress, mental anguish) Regulatory fines HIPAA HITECH PCI-DSS FTC AG inquiries/fines HHS/OCR audits and investigations 9
Employee Misplaces Flash Drive An employee misplaced a key chain with an attached flash drive, which contained the PHI of approximately 270 patients. The provider retained counsel and notified the impacted individuals. Insured costs: $27,000 in legal fees and notification costs The claim scenarios described here are hypothetical and are offered solely to illustrate the types of situations that may result in claims. These scenarios are not based on actual claims and should not be compared to an actual claim. The precise coverage afforded by any insurer is subject to the terms and conditions of the policies as issued. Whether or to what extent a particular loss is covered depends on the facts and circumstances of the loss, the terms and conditions of the policy as issued, and applicable law. 10
External Vendor Can t Find Hard Drives A healthcare provider contracted with a national vendor to relocate hard drives and servers. The provider discovered several missing hard drives containing PHI after taking inventory. The provider retained legal counsel to analyze regulatory obligations as well as vendors to conduct forensics, to notify impacted individuals, and to offer credit monitoring services. The notifications resulted in regulatory inquiries and the filing of several class action suits. Costs adding up! Forensics, legal fees, notification, call center, CM Legal fees (class actions & responses to regulatory inquiries) The claim scenarios described here are hypothetical and are offered solely to illustrate the types of situations that may result in claims. These scenarios are not based on actual claims and should not be compared to an actual claim. The precise coverage afforded by any insurer is subject to the terms and conditions of the policies as issued. Whether or to what extent a particular loss is covered depends on the facts and circumstances of the loss, the terms and conditions of the policy as issued, and applicable law. 11
Understanding Gaps Reduces Risks Complete an annual privacy and security risk assessment Data inventory Policy review IT security review Business associate assessment Cyber liability insurance review 12
When a Breach Occurs Follow a prescribed approach, such as the ID Experts YourResponse Method (below) 13
Discover Phase Determine what happened What are the facts of the incident? Are forensics necessary? Treat findings like evidence, because it is. 14
Discover Phase Preliminary Work Contact applicable parties ASAP Insurer Breach coach Law firm Law enforcement Affected banks Forensics firms Initial Steps Compliance assessment Operations analysis o o o Vendor/subcontractor contract review Applicable regulators Internal policies in place Develop timeline Prepare budget Assess vendors (forensics/pr/etc.) Document everything 15
Analyze Determine if the incident is a breach Analyze the facts with applicable federal and state laws. What data? Was it exposed? Is there an exception (safe harbor) that applies? Is there a risk of harm? Is there a notification obligation? If no notification obligation, document analysis. 16
Formulate Formulate a risk proportionate response What was the nature of the event Type of data lost Needs of breach population Sensitivity of organizational reputation Industry or stakeholder expectations Applicable laws and regulations Real and/or perceived risk of lawsuit 17
Respond Sending the letter Taking the calls Handling the press Managing escalations Monitoring legal activity 18
Privacy Liability Coverage It s not just Cyber insurance Coverage is for enterprise-wide risk from IT to HR to regulatory fines and penalties Three primary types of coverage: Privacy liability Data breach expenses Network security liability Also available: Internet media liability Network extortion Business interruption & digital asset loss 19
Privacy Liability Coverage Buyers are not just IT, but are: Risk Managers, CISO/CPO, General Counsel Compliance Officers CFO Affirmative coverage is key! What s the intent of your GL, Crime, D&O? 20
Privacy Liability Coverage Does your policy include coverage for: Independent contractors? Temp staff, and part time help? Unencrypted data? Hard copy documents and spoken word? Mobile devices? Third party vendors related to your IT? Does your insurance carrier: Provide access to tools, resources, and pre-negotiated rates for pre-screened data breach vendors? Have underwriters, product managers, and claims handlers dedicated to privacy/cyber liability in the healthcare industry? 21
Privacy Liability Coverage Post-Breach Response Does your insurance carrier s approach fit your industry? Resources should be scalable to your organization complement or completely outsource your incident response process? Vendor choice is important! Don t overlook your third party liability coverage Patient class actions Statutory damages Credit card issuer demands Regulatory fines and penalties (where insurable) Premium range depending upon coverage levels 22
Wrap up Follow a multi-discipline approach to minimize data breach risk Privacy and compliance should be involved in data breach response decision-making process, One-size fits all approach doesn t work for data breaches Best practices for selecting privacy liability insurance policy Review policy language carefully Understand the tools and resources the carrier provides Evaluate the level of experience of claims staff 23
Q&A Jeremy Henley Insurance Solutions Executive ID Experts Jeremy.henley@idexpertscorp.com 760-304-4761 Anthony V. Dagostino Vice President Eastern Zone Manager & Healthcare Privacy/Technology Product Manager ACE USA Anthony.Dagostino@acegroup.com 201-479-6381 24