The past few years have seen multiple “privacy insurance” policies come on to the Australian market, with policies tailored to the needs of both SMEs and large corporates. The healthcare sector is at particular risk of privacy breaches and resultant regulatory action and claims, but it is not clear that this has led to an increased uptake of privacy insurance policies in the sector.
Insureds operating in the health sector tend to hold highly-sensitive personal information. They are also subject to onerous regulation.
Their employees, however, fear that their privacy protections are not up to the task. A 2010 US benchmark study on patient privacy and data security by Ponemon Institute found the three key causes for privacy breaches were:
- Unintentional employee action;
- Lost or stolen computing devices; and
- Third-party errors.
When staff of healthcare providers were interviewed, they considered that a majority of their employers did not have sufficient resources to enable the security of patient records (71%) nor sufficient policies and procedures to protect health information (69%). Additionally, more than half of the staff had little or no confidence in their ability to correctly secure patient records (58%).
These concerns will only grow as trends common across all industries (computerisation, cloud storage, a desire by consumers for portability of their information) are affecting the health sector.
This article aims to highlight some of the privacy issues raised in recent cases and incidents in the health sector.
UNAUTHORISED DISCLOSURES OF INFORMATION
‘EZ’ and ‘EY’  AICmr 23
Mr Z, a patient of Dr Y, contacted his local police station in November 2006 to report harassment and damage to his property as part of an ongoing neighbourhood dispute. Sergeant X attended the scene and reported that Mr Z to be acting in a highly excited and paranoid manner.
Following this incident, Sergeant X contacted Dr Y in December of 2006 to discuss whether, in Dr Z’s opinion, Mr Z was “psychotic.” As recorded by Sergeant X, Dr Y advised that “it was possible, but further assessment was needed.” Mr Z became aware of this conversation and lodged a formal complaint under section 36 of the Privacy Act 1988 (Cth) (Privacy Act) in relation to Dr Y’s conduct.
In particular, Mr Z alleged Dr Y had interfered with his privacy by:
- Improperly disclosing personal information from Mr Z’s medical records to Sergeant X;
- Disclosing inaccurate personal information to Sergeant X; and
- Failing to have adequate security safeguards to protect his personal information from improper disclosure.
The Australian Information Commissioner opened an investigation into Mr Z’s allegations on 29 May 2012. The matter was later decided under section 52 of the Privacy Act. The Commissioner found that Dr Y had interfered with Mr Z’s privacy and failed to take reasonable steps to protect his personal information. Dr Y had not sought to question the police on why they sought her views, or to take into consideration the obligations imposed on health providers by their professional regulator.
The Commissioner found in favour of Dr Y in one respect, finding that the information disclosed had been accurate.
Dr Y was ordered by the Commissioner to apologise to Mr Z and pay AU$6,500. for the loss caused by the interference with Mr Z’s privacy.
INSURING AGAINST INTERNAL & EXTERNAL SECURITY BREACHES
Citizens Bank of Pennsylvania v. Reimbursement Technologies, Inc., 609 Fed.Appx. 88 C.A.3.Pa.,2015
Citizens Bank of Pennsylvania (the Bank) sued Reimbursement Technologies (RT), a doctors’ billing and financial management company, and Leah Brown, a RT employee, in the United States (US) Federal Court for losses related to fraudulent withdrawals from customers’ bank accounts.
The Bank alleged that certain RT employees and agents, including Ms Brown, accessed non-public financial information of patients of RT’s doctor clients and provided it to a third-party “organised fraud-ring.” As a result, it was claimed, the ring illegally withdrew money from Citizens’ customers’ accounts from branches in six different US states. The Bank re-credited its customers’ accounts for the amounts withdrawn and calculated a total loss of at least US$390,000.
Citizens claimed RT was liable for its losses on the basis that RT had violated health privacy principles in the Health Insurance Portability and Accountability Act (HIPAA). Pointing to HIPAA’s stated purpose to “improve portability and continuity of health insurance coverage”, the Court rejected the suggestion that HIPAA was in any way intended to protect patients’ banks from possible financial fraud.
The Court also found that RT did not owe a duty of care to the bank, that it had not been negligent and was not liable for fraud.
ANTHEM INC – SECURITY BREACH
In February 2015, Anthem Inc, the second-largest US provider of health insurance, had its secure databases invaded by unknown hackers. Much personal information was stolen. As a result of the breach, 78.8 million customers of Anthem were involuntarily put at risk of identity theft.
Several federal and state authorities have since sought to investigate the company’s security systems and its response to the wider community. The attack has been costly to Anthem from both a reputational and commercial standpoint. In particular, Anthem was obliged to enlist another company to provide a two-year, free-of-charge identity theft repair and credit monitoring service to all its clients.
Insureds in the health sector have onerous obligations to their patients. New technologies threaten this obligation, as demonstrated by the above cases, and this will have implications for policy coverage and insurers’ exposure in this space.