September 2014

Greetings! I hope this edition of CIS News finds you enjoying the beginning

of the fall season. The Coverys Insurance Services staff always appreciates

this time of year when we can support our clients at their community golf

outings and events around the state. Our sponsorship and attendance at

these events are a highlight for us and I want to thank you for including

Coverys Insurance Services.

The theme of this newsletter is Cyber Liability. We’ve put together some

useful information to educate you about the threats of data breaches

and to also explain the many ways Coverys Insurance Services provides

protection against these threats. If you weren’t already aware, all Coverys

policyholders automatically receive Regulatory Liability and Information

Security and Privacy Coverage. This edition also includes a helpful

article detailing the basic limits of coverage we provide to you as well

as information on receiving additional limits, should your organization

require those.

If you have any questions about cyber liability, your current coverage,

or would like more information on obtaining additional coverage,

please do not hesitate to contact us!

Sincerely,

David Schwaner

Agency Director, Coverys Insurance Services

In This Issue ...

• Cyber Liability and Data Breaches -A Growing Threat in Healthcare

• Getting To Know Coverys’Regulatory Liability and InformationSecurity and Privacy Coverage

www.coverysis.com

COPYRIGHTED

CIS News | September 2014

Coverys Insurance Services | www.coverysis.com

The information age has brought about unparalleled threatsto companies in the area of “cyber attacks.” A cyber attack— also called a data breach — occurs when sensitive,protected or confidential data has potentially been viewed,stolen or used by an individual not authorized to do so.Such threats have becomeprominent in the news, withseveral well publicized attacksoccurring to global companiesand major retailers, such asSony, Target and eBay. Since2011, cyber attacks and databreaches are consistentlyincluded among the top globalrisks to watch for, accordingto the world’s top businessleaders, politicians and policyadvisers assembled at theWorld Economic Forum (WEF).1

The healthcare community isparticularly vulnerable to cybersecurity threats. Hospitals,healthcare organizations andphysician practices are facedwith the daunting task ofoperating EMR and EMHsystems and complex internalnetworks, while protectinghighly sensitive patient datafrom inadvertent disclosure or theft. The increased use oftechnology, with telemedicine, laptops, tablets and mobiledevices being used to store and transmit patient information,leads to more opportunities for data breaches to occur. TheIdentity Theft Resource Center, a non-profit organization thattracks data theft, found the healthcare sector experiencedthe highest number of cyber attacks in 2013, overtaking thebusiness sector for the top spot. The healthcare sectorsuffered 267 breaches in 2013, constituting 43 percent of allcyber attacks that year.2 Interestingly, most of thesebreaches are not due to a malicious attack from a thirdparty—according to a 2013 global study conducted by thePonemon Institute, human errors and system glitchescaused approximately two-thirds of data breaches.3

Data breaches can occur in multiple ways. Stolen or lostlaptops or hard drives, disclosures by third-party vendors,and unsecure websites top the list. The following are someexamples of the notable breaches by hospitals or healthcareorganizations occurring to date:

Advocate Medical Group (2013): Four laptops werestolen containing more than 4 million patient records.This was the second largest breach to be reported toHHS.4

CYBER LIABILITY AND DATA BREACHES - A GROWING THREAT IN HEALTHCAREBy Richard J. Suhrheinrich and Kimberly M. Babcock, Kitch Drutchas Wagner Valitutti & Sherbrook

AHMC Healthcare (2013): Two laptops were stolencontaining patient data from six AHMC hospitals inCalifornia. Approximately 729,000 patients were affectedwith about 70,000 having their Social Security numberscompromised.4

Cogent Healthcare, Inc.(2013): A transcription companystored medical data on anon-secure website, makingthe “private” website accessibleto all Internet users; somerecords were indexed byGoogle. PHI of over 32,000individuals was affected. 4

Emory Healthcare (2012):The Atlanta-based hospitalsystem misplaced 10 backupdisks containing information formore than 315,000 patients.Some 228,000 of the filesincluded patient SocialSecurity numbers and othermedical information.5

UCLA Health System (2011):Unauthorized employeeslooked at electronic protectedhealth information of numerous

celebrity patients. UCLA had to pay $865,000 to settleHIPAA investigations and charges.6

Less than a year later, UCLA was faced with another databreach when a former employee’s house was broken into,and an external hard drive was stolen containing encryptedpersonal information of 16,288 patients.7

Sutter Health (2011): Nearly 1 million patients of theCalifornia health system had their PHI compromised afterthe theft of an unencrypted company desktop computer.Sutter Health faces 11 different lawsuits with potentialliability of up to $4.25 billion.8

Eisenhower Medical Center (2011): An unencryptedcomputer was stolen containing patient data; over514,000 individuals were affected.9

TRICARE Management Activity (2011): Lost back-uptapes contained PHI of over 4.9 million individuals,making it the largest breach in history. $4.9 billion wassought in the class action lawsuit, or $1,000 per patient.Importantly, a federal court recently dismissed themajority of the lawsuit on the basis that a data breachalone did not demonstrate damages and the plaintiffshad to prove actual harm.9

COPYRIGHTED

CIS News | September 2014

Coverys Insurance Services | www.coverysis.com

North Bronx Healthcare Network (2010): Back-uptapes from two computer systems were stolen from avendor truck, containing 20 years of PHI of an estimated1.7 million individuals.9

New York Presbyterian Hospital and ColumbiaUniversity (2010): Aphysician attempted todeactivate a personalcomputer server on thehospital network, resultingin 6,800 patients’ PHI beingexposed on the Internet.In the largest HIPAAsettlement to date, the twohospitals paid a total of$4.8 million to settle theclaims.10

What Are theConsequences of aData Breach?

The recently enacted “HIPAAOmnibus Rule,” found in theHITECH Act’s Breach NotificationRule, requires entities to notifythe U.S. Department of Healthand Human Services (HHS)following a data breach of protectedhealth information. If the PHI of 500 or more individualsis compromised, HHS posts the breach to the public —in 2013 alone, 248 such violations were posted.11

According to the 2013 Ponemon study, the average totalorganizational cost of a data breach in the United Stateswas $5,403,644. Healthcare, as the most heavily regulatedindustry, led the pack as the U.S. industry with the highestper capita cost of a data breach.3 When a data breachoccurs, a hospital or healthcare system may face all or someof these expenses and consequences:

• Legal Defense: the cost can vary widely. A 2013 study ofactual claim payouts found the average cost for legaldefense for a cyber liability/data breach claim was$574,984, and the average legal settlement was$258,099.12

• Regulatory Proceedings, Fines, and Penalties: theOmnibus rule allows for hefty penalties for databreaches—up to $1,500,000 per incident. In 2013, HHShanded out penalties ranging from $150,000 to$1,700,000.13

COPYRIGHTED

• Notification of Third Parties: most states requirenotification to individuals with potentially compromisedinformation. HHS must be notified if the PHI of over

500 individuals are affected.14

• In-House Investigations: including response plans, andrepair and/or improvement ofsecurity technology.

• Forensic Examination andExperts: hiring a third partyto investigate the databreach; average fees arefrom $200 to $1,500 perhour.14

• Hotline/Call Center: toprovide support for patients/affected individuals.

• Credit or Identity Monitoring:many hospitals voluntarilyprovide this for patients whoare victims of a breach;typical credit monitoringcosts can range from$10-$30 per individual peryear.14

• Public Relations: damagecontrol is necessary and

may be extensive, depending on the seriousness of thebreach and the number of people affected. Hiring anexternal party may be necessary.

• Various intangible consequences, such as harm to theorganization’s reputation and loss of trust between theorganization and the patient.4

For the healthcare community, cyber liability is a real andgrowing threat. It has become a “must” for hospitals,healthcare organizations and physician practices to beaware of the cyber liability risks, and take affirmative stepsto reduce these risks. Steps need to be taken to safeguardagainst disclosure as well as protect the provider, should abreach happen.

References:1. Global Risks 2014: Ninth Edition. Published by the World

Economic Forum, http://www3.weforum.org/docs/WEF_GlobalRisks_Report_2014.pdf.

“Cybersecurity named one of top five global threats.”Published February 10, 2011,www.homelandsecuritynewswire.com/cybersecurity-named-one-top-five-global-threats

CIS News | September 2014

Coverys Insurance Services | www.coverysis.com

COPYRIGHTED

2. “Cyberattacks are on the rise. And health-care data is thebiggest target.” Published February 5, 2014,http://www.washingtonpost.com/blogs/wonkblog/wp/2014/02/05/cyberattacks-are-on-the-rise-and-health-care-data-is-the-biggest-target/.

3. 2013 Cost of Data Breach Study: Global Analysis.Ponemon Institute, May 2013, www.ponemon.org/library/2013-cost-of-data-breach-global-analysis.

4. “Top 10 HIPAA Data Breaches of 2013.” Layered Tech,published January 7, 2014, www.layeredtech.com/blog/top-10hipaa-data-breaches-of-2013.

5. “10 largest HIPAA breaches of 2012.” HealthcareIT News, published January 1, 2013,http://www.healthcareitnews.com/ news/10-largest-hipaa-breaches-2012.

6. “UCLA Health System Pays $865,000 Over PrivacyCharges.” InformationWeek, published July 8, 2011,http://www.darkreading.com/risk-management/ucla-health-system-pays-$865000-over-privacy-charges/d/d-id/1098799.

7. “UCLA Patient Data Breached (Again).” Fierce Healthcare,published November 7, 2011,http://www.fiercehealthcare.com/story/ucla-patient-data-breached-again/2011-11-07.

8. “Patients Sue Sutter Health After Largest Data Breach.”Fierce Healthcare, published November 28, 2011, http://www.fiercehealthcare.com/story/patients-sue-sutter-health-after-largest-data-breach/2011-11-28.

“Another data breach for Sutter Health.” Healthcare ITNews, published June 10, 2013,

http://www.healthcareitnews.com/news/another-data-breach-sutter-health.

9. “10 biggest HIPAA data breaches in the U.S.” HealthcareIT News, published September 10, 2012,www.healthcareitnews.com/slideshow/slideshow-top-10-biggest-hipaa-breaches-united-states.

10. “Data breach results in $4.8 million HIPAA settlements.”U.S. Department of Health & Human Services PressRelease dated May 7, 2014, www.hhs.gov.

11. 45 CFR § 164.408; see also www.HHS.gov – HealthInformation Privacy – Breaches Affecting 500 or MoreIndividuals.

12. “Cyber Liability & Data Breach Insurance Claims: A Studyof Actual Claim Payouts.” NetDiligence 2013.www.netdiligence.com/files/CyberClaimsStudy-2013.pdf

13. “HHS raises the stakes for patient data breaches.”Healthcare IT News, published November 25, 2013, http://www.healthcareitnews.com/blog/hhs-raises-stakes-patient-data-breaches.

14. “Data Breach Cost: Risks, costs and mitigation strategiesfor data breaches.” Zurich, http://www.zurichna.com/internet/zna/sitecollectiondocuments/en/products/securityandprivacy/data%20breach%20costs.%20wp%20part%201%20(risks,%20costs%20and%20mitigation%20strategies).pdf.

Since 2009, more than 804 breaches of protected healthinformation were reported to the HHS Office of Civil Rights.As a result, more than 29 million patient records wereaffected.1 Healthcare facilities have been charged withprotecting not only their patient’s well-being, but also theirprotected health information.

Through member company MHA Insurance Company(“MHAIC”), Coverys provides facilities with the extra coverageyou may need, above and beyond your original professionalliability policy. All MHAIC policies now include RegulatoryLiability and Information Security and Privacy Coverage.Coverys offers the coverage for policyholders for no extracost at basic limits and also offers the ability to purchaseadditional limits with flexible deductible options. The followinginformation will help you get a more in-depth understandingof this coverage.

Who is eligible for Coverys’ Regulatory Liability andInformation Security and Privacy Coverage? Is there alimit of liability buy-up option?

Individual, group and facility professional liability policyholdersare provided the coverage at basic limits. They are alsogiven the option of purchasing additional limits with flexibleretentions.

Does MHAIC bear the underwriting exposure for thesecoverages?

No. MHAIC fronts this coverage on behalf of Beazley,2 aspecialty insurance company that manages five internationalLloyd’s of London syndicates. Beazley is a market leaderin cyber liability, professional indemnity, property, marine,reinsurance, accident and life, and political risks andcontingency business.

Will Coverys underwriters be given a loss report for eachinsured?

Beazley shares claim-specific loss reports to Coverys foreach of its applicable underwriting entities. Coverysunderwriters have access to these reports.

Will coverage be available in claims-made and occurrence?

No. Coverage is written solely on a claims-made basis.However, the coverage will be attached to both claims-madeand occurrence professional liability policies.

Will there be an extended reporting period endorsementoption?

Yes, there is a one-year,3 non-renewable reportingendorsement option available.

GETTING TO KNOW COVERYS’ REGULATORY LIABILITY AND INFORMATIONSECURITY AND PRIVACY COVERAGE

CIS News | September 2014

Coverys Insurance Services | www.coverysis.com

COPYRIGHTED

Provider Coverage Coverage Provider Limits*** Retention*** Facility Limits Facility Retention

Information Security A $50,000 $1,000 $100,000 $5,000and Privacy Liability

Privacy Breach Response Services B**** 5,000 individuals $100,000

Computer Forensics B.1.a Sublimit $50,000

Computer Forensics and B.1.a&b Sublimit $1,000 $50,000 $5,000Notification Service

Credit Monitoring Service B.1.c 50 individuals 250 individuals

Regulatory Defense and Penalties C $50,000 $1,000 $50,000 $5,000

Website Media Content Liability D $50,000 $1,000 $50,000 $5,000

Providers Regulatory Liability E $50,000 $1,000 $100,000 $25,000

Disciplinary Proceedings E (Disciplinary) $25,000 - $25,000 -Sublimit

Cyber Extortion F $50,000 $1,000 $50,000 $5,000

First Party Data Protection G $50,000 $1,000 $50,000 $5,000

Crisis Management and H $25,000 $1,000 $25,000 $5,000Public Relations

Combined $50,000 $100,000Aggregate

* The Coverys MPL provider policy includes the basic limits and deductibles noted above, at no additional charge.** Limit buy-up options, up to $5 million per coverage with flexible retentions, are available upon request.*** The Limit of Liability shown for Coverage B and the Aggregate as well as all Retentions may vary by Group size (this table displays

amounts for a Group Size of 5). Please see the Regulatory Liability and Information Security and Privacy Coverage Schedule forfurther details.

****For Provider policies, this limit does not apply to the aggregate.

What are the basic limits of liability and deductibles?

Coverys Insurance Services | www.coverysis.com

COPYRIGHTED

3100 West RoadBuilding 1, Suite 200East Lansing, MI 48823

NOTE: For claims-made policies, insureds must purchase areporting endorsement for their professional liability policy inorder to purchase the cyber/regulatory reporting endorsement.

Why is coverage provided for Cyber Extortion?Isn’t extortion a criminal act?

The insured is covered to protect against the criminal act ofsomeone else. It is similar to a homeowner’s insurance policyprotecting the homeowner against robbery. The act of therobber is criminal, but the homeowner needs coverage forthe act.

Is extortion committed by an employee excluded?

Yes, the coverage explicitly excludes cyber extortion by anemployee or owner of the practice.

How does the notifications deductible apply?• An individual practitioner is responsible to pay for the

first 50 notifications. After that, the coverage will pay for5,000 notifications.

• For a group of two to 20 practitioners, the group will payfor the first 100 notifications. After that, the coverage willpay for 50,000 notifications.

• For a group of 21 or more, the group pays for the first5,000 notifications. After that, the coverage will pay for100,000 notifications.

• For a facility, the facility pays for the first 250 notifications.After that, the coverage will pay for $100,000 worth ofnotifications.

Who chooses the attorneys, experts and service providers?

Beazley has attorneys, computer experts and service providersthat they can contract with to provide these services to theirinsureds. However, Beazley is willing to work with insureds toexpand their panel of providers given the right circumstances.

What if the insured already has this coverage throughanother policy?

There is an “other insurance” clause written into the coveragelanguage which states that the cyber/regulatory coverage isexcess over any other coverage available.

References:1. ”Redspin’s Breach Report 2013 — Protected Health

Information (PHI)”, Redspin, http://www.redspin.com/resources/whitepapers-datasheets/Request-2013-Breach-Report-Protected-Health-Information-PHI-Redspin.php.

2. Beazley has authority to enter into contracts of insuranceon behalf of the Lloyd’s underwriting members of Lloyd’ssyndicates 623 and 2623 which are managed by BeazleyFurlonge Limited. Beazley Furlonge Limited is authorizedby the Prudential Regulation Authority and regulated by theFinancial Conduct Authority in the UK (ref 204896) in itscapacity as an insurer.

3. Contingent upon state regulations.