Lax Cybersecurity Protocols Can Cost Your Company Millions
The U.S. Department of Health and Human Services (HHS) hit the Children’s Medical Center of Dallas with a non-appealable $3.2 million fine based on alleged breaches of HIPAA-protected patient and personnel information, according to Healthcare Informatics. HHS determined that there were at least three substantial breaches of electronic protected health information (ePHI) related to the Dallas medical center, including:
- In 2009, a hospital employee lost an unencrypted Blackberry handheld device that contained ePHI of approximately 3,800 people.
- In 2010, a medical resident lost an iPod-like device that was synced to a hospital email account, compromising the ePHI of over 20 individuals.
- In 2013, an unencrypted laptop containing ePHI for nearly 2,500 individuals was stolen from the hospital.
The multi-million dollar fine raises an important question for the medical center – will it be able to seek reimbursement through its insurance policy to cover agency fine for alleged ePHI-related losses? It depends primarily on the language in the medical center’s insurance policy and scope of coverage.
In many corporate cyber insurance policies, there is coverage for regulatory fines. However, some policies still contain broadly worded exclusionary language that could enable the insurer to deny coverage for a fine such as the one levied by HHS.
Common Exclusions to Be Aware Of – Unencrypted Devices and Prior Knowledge of Risks
Many insurance companies offering cyber breach coverage mandate encryption. Other policies require encryption implicitly by excluding coverage for claims for the breach of unencrypted data. If the Children’s Medical Center of Dallas’ policy has such an exclusion, the company may be forced to pay the fine itself without the assistance of its insurance coverage.
In addition to unencrypted exclusions, cyber insurance policies often exclude claims where there is evidence that the insured could have reasonably foreseen a loss covered under the policy. In the situation described above in Dallas, HHS reported that the medical center was actually notified in 2007 and 2008 by independent threat analysis companies that encryption was necessary to protect its devices, but failed to take the necessary action until 2013. Knowledge like this, especially in the absence of actual or attempted corrective action, may be the basis for an insurer denying coverage.
Consulting with Insurer During Investigation
A surprising revelation was that the medical center did not request a hearing to make arguments in its defense. This lack of action resulted in the non-appealable $3.2 million fine. This may have been a strategic decision made in consultation with the medical center’s insurer. Why? Because an insurer generally has broad authority to control any defense or potential settlement in regards to a covered claim. This is important to highlight because if a company fails to consult with their insurer and loop them in on the decision-making process about how to handle a claim, the insurer will be more inclined to deny coverage.
Experienced Brownsville Insurance Coverage Attorneys
As you can see, there are numerous provisions that need to be addressed and clearly defined when your company is deciding the type of cybersecurity insurance coverage it needs. If your insurer denies coverage, you may need to pursue legal action. The law firm of Colvin, Saenz, Rodriguez & Kennamer, L.L.P., is ready and able to help. Our team of Brownsville insurance coverage attorneys have experience representing both insurance companies and the businesses insured by them in a myriad of coverage disputes. Our lawyers’ substantial experience advocating for the interests of parties on both sides of these matters puts us in a strong position to provide the effective representation you need.