Reported cyber-data breaches reached an all-time high in 2014 with 783 reported breaches and of these reported breaches 42.5% were from the healthcare industry alone. These numbers are likely to increase in 2015, especially with the recent announcement by Anthem that its systems had been hacked and the information of as many as 80 million customers has been compromised. Likewise, as technology advances and health care providers continue to utilize electronic means of maintaining health records and information, more companies outside the traditional healthcare field are at risk of violating various federal regulations that previously did not apply. It is important to realize that these cyber-data breaches may not be covered by typical commercial general liability (CGL) policies.
Due to changes in federal regulations it is not just companies that unquestionably operate in the healthcare industry that are at risk, it is also those businesses that find themselves handling personal health information (PHI) even though they are not technically in the healthcare industry. The broad reach of the federal regulations are a result of the Heath Information Technology for Economic and Clinical Health Act (HITECH), originally enacted in 2009 and modified in 2013, which expanded the Heath Care Portability and Accountability Act of 1986 (HIPAA) by broadening the definition of a business associate and of a breach to be more inclusive. Now, any company that is involved in any manner with this protected information, including health information organizations, subcontractors, and vendors, are directly liable for a breach. Under the new regulations a breach also includes any unauthorized acquisition, access, use, or disclosure of PHI unless it can be shown that there is a very low likelihood that the information has been compromised. In addition to the changes to HITECH there has been an increase in the enforcement of the regulations and many companies, which do not even realize they are at risk, may be liable for these violations in the event of a cyber-data breach. With healthcare data breaches on the rise understanding your insurance coverage and options is critical and it is important to be aware that your insurance policy may not cover HIPAA and HITECH violations.
These types of cyber-data breaches may be covered under two CGL policy sections, property damage or advertising and personal injury. However, both sections are limited. For example, in order for the property damage coverage part to cover a loss of personal information from a cyber-breach there must be a loss of tangible property, not simply information. So, unless there is physical damage to a server or other tangible property as a result of the breach, the loss will not be considered covered property damage. Similarly, for the advertising and personal injury coverage to apply there needs to be actual oral or written publication of material that violates a person’s right to privacy, which is not always present in this type of data breach. In addition to these limitations, penalties and fines, which can make up a large portion of the damages sustained by a company for HIPAA and HITECH violations, are often excluded from CGL policies.
Even if the company does have an applicable insurance policy that covers HIPAA and HITECH violations, the policyholder must ensure that its policy limits are high enough to cover the data breaches and penalties. The costs of cyber data breaches can be crippling, this is especially true for HIPAA and HITECH violations, which have more extensive penalties and requirements than typical cyber data breaches. Companies that have a breach of PHI or records are subject to extensive legal defense costs, potential class actions, forensic investigation costs, severe penalties of up to $50,000 per violation, and remedial requirements that may be incurred even where no one was harmed or at risk.
When procuring insurance coverage, a policyholder needs to know its risks and inform its broker. In order to do this efficiently, it is imperative that the person or the department responsible for obtaining and maintaining proper coverage knows that the company handles personal health records or information and that it is now at risk for HIPAA and HITECH violations. Ultimately, it is not enough to simply have coverage; a policyholder must also review its policy to ensure that the policy limits are high enough to cover a data breach of this nature.