Risk Scenario


A social engineering cyber attack results in a massive loss of medical records, a reputational hit and a merger gone bad.
By: | October 20, 2015 • 7 min read
Risk Scenarios are created by Risk & Insurance editors along with leading industry partners. The hypothetical, yet realistic stories, showcase emerging risks that can result in significant losses if not properly addressed.

Disclaimer: The events depicted in this scenario are fictitious. Any similarity to any corporation or person, living or dead, is merely coincidental.

Engineer This

This was so much easier than hacking a system by harnessing software technology and using multiple computers and proxy servers. Still, it took a little bit of phone work.


A member of SubPrime OverKill, a group of financially motivated hackers going by the acronym SPOK, called the headquarters of Atlas Health Systems on the morning of Monday, July 1.

“Hi,” the hacker said in a friendly voice, when an operator answered the phone. “Can I please have the name of your head of Information Technology?”

“I’m not authorized to give that out,” the national hospital system operator said.

“OK,” the hacker said and hung up before the operator could ask him why he was calling.

It took him six more calls to get what he needed. He didn’t get the name of the head of IT, but he finally got the name of someone else in that department.

The hacker’s next call was to that office.

“Keith Duvall, please,” the hacker said in a much sterner voice when Duvall’s assistant answered.

“Who may I say is calling please?” Duvall’s assistant said.



“This is Special Agent Frank Dermont of the Federal Bureau of Investigation’s Cyber Security Bureau. We’ve confirmed that your computer system has been hacked and we need to access it immediately,” the hacker said.

The ruse was working so far. The assistant got flustered.

“Well, Keith’s not in right now, he’s…he’s in Kansas City,” she said.

“We need his username and password! Your system is under attack right now and crucial life-saving machinery in your hospitals’ neo-natal and intensive care units could be shut off within minutes,” the hacker said.

“Give me the username and password now or face obstruction of justice charges!” the hacker said.

“Wait, wait just a second, I have it here,” the assistant said, the thought of infants and the critically ill dying by the dozens overwhelming her.

The flustered assistant then gave the phony FBI agent a super administrator password and username.

And SPOK was in the hen house.

Over the next four months, unknown to hospital administrators, the hackers siphoned off hundreds of thousands of medical records from the large hospital system’s computer system.

At $80 per medical record, the thieves were making millions selling the records on the black market. And no one within the Atlas Health System administration had any notion of what they were up to.

Does your company have a two-factor authorization system in place to block unauthorized access to your IT system?

View Results

Loading ... Loading ...

Merging Blind

Two months after the hack, Dale Reed, director of risk management for a smaller hospital system, The Magnolia Group, received information that Atlas was planning to buy Magnolia and merge the two hospital systems.


There was already plenty on Reed’s plate. The demands of the Affordable Care Act and the escalating number of cyber attacks on not only health insurers, but health care providers, was causing him great concern.

“Now this,” Reed said as he looked over an email from the Magnolia Group CFO, outlining the ways in which the terms of the Atlas deal were projected to impact various departments.

The good news for Reed was that it appeared his job was safe.

The challenge for Reed was that he was going to have to work hand in hand with the IT professionals and risk management team at Atlas in building a secure information technology system.

The deal was set to close in November and the C-suites with both hospital groups were expecting the systems to be fully integrated and secure by the end of the year.

“Don’t expect to see much of me,” Reed told his wife. “I’ve got some long work days ahead of me.”

In mid-October, as the merger moved closer to becoming a reality, Reed sought clearance for and obtained permission from higher-ups to begin conversations with the IT and risk management departments at Atlas to discuss systems integration and security.


In conversations with Atlas officials, Reed took away two things that concerned him. One, it appeared Atlas did not use a two-factor authorization system to gain access to the hospital’s IT system.

If a hacker chose to target Atlas, Reed thought, all they’d have to do is get an IT administrator’s username and a password and they were in.

Two, in discussions with Atlas’ risk management department, it appeared that a cyber-attack incident response plan, while being developed, was not yet in place at Atlas.

Working late one night in the office, Reed deduced that he couldn’t be passive. He needed to take steps to make sure the combined hospital system’s IT system was not only integrated but secure.

The Atlas/Magnolia merger closed as expected Nov. 16. The Magnolia name would go away and the system would keep the name Atlas.

The following day Reed asked for and received permission to hire an IT audit firm that he’d worked with before to examine the Atlas system, which was now in the process of being integrated with the Magnolia system.

The audit team was two days into its three-month contract when Reed got a call from the audit team’s chief examiner.

“The Atlas Health System network was breached back in July,” the examiner said.

“What?” was all Reed could say.

“We estimate hundreds of thousands of medical records have been stolen by a group that goes by the acronym SPOK. They might have taken as many as a million records.”

“You’ve got to be kidding me,” Reed said.

“We’re not kidding you, Dale,” the examiner said. “And it looks like some former Magnolia Group records might already have been lifted,” the examiner said.

The news that Atlas was four months into a massive cyber attack and that close to a million records were pilfered was of course very painful for Keith Duvall and his superiors in the IT department and treasury.

When it became known that it was the IT department’s very own super administrator username and password that were used to breach the system, the head of Atlas IT resigned.

Dale Reed had taken the initiative and hired the IT audit team that found the breach. Now he would have the added responsibility of cleaning up the mess. Or trying to.

Does your company have a cyber-breach incident response plan?

View Results

Loading ... Loading ...

Pain. No Gain.

The next day, Reed was back on the phone, this time with the IT audit team’s chief examiner and his insurance broker.


“These aren’t like credit card numbers,” the broker was saying, as Reed felt sharp anxiety pains in his abdomen.

“It could take months to figure out what services, pharmaceutical, whatever, are being ordered with this stolen information. This medical information can go for $80 per record on the black market, it’s much more valuable than a credit card number and much harder to shut down,” the broker said.

The next morning’s newspaper told Reed and the rest of the Atlas executives a story they never thought they would read and would never want to read again.

SPOK sold information about the embarrassing medical conditions of a number of regional business, political and other public sector leaders to unscrupulous bloggers and those details were published online.

Examples included a local school superintendent with a sexually transmitted disease, the CEO of a local company who had bariatric surgery but didn’t want the information publicly disclosed, and the wife of a local pastor who was suffering from complications from breast implants.

“Did you see this?” came the panicked email from the Atlas CFO, including a link to the story.

“Saw it,” was Reed’s only response.

A class action lawsuit soon followed. The plaintiffs alleged that the combined company failed to conduct ample due diligence into the vulnerabilities of its IT system.

The reputational damage from the lost and sold medical records spurred Atlas executives to accelerate planned upgrades to their IT system. Millions in IT expenditures they’d expected to spread over 10 years were compressed to a two-year spend.

Add to that the notification costs and legal expenses connected to the breach and the defense of the class actions, and it became painfully clear that Magnolia and Atlas should never have merged at all.

Are you comfortable that you have adequate insurance policies in place to cover not only the notification expenses but the legal and crisis response expenses that would stem from a cyber breach?

View Results

Loading ... Loading ...


Risk & Insurance® partnered with Swiss Re Corporate Solutions to produce this scenario. Below are Swiss Re Corporate Solutions’ recommendations on how to prevent the losses presented in the scenario. This perspective is not an editorial opinion of Risk & Insurance®.

Even the best-trained employees click on 2% of spam phishing emails. Once a hacker has access to your network, the ramifications are endless. The monetary costs of a breach can be in the billions of dollars, but losses aren’t just financial. After a cyber attack, companies face reputational and legal consequences, as well.

In our increasingly digitized world, computer hacks aren’t just the stuff of fiction. They’re a very real part of doing business. And almost all companies – large or small, public or private – are at risk. So when an attack does occur, you don’t want to be alone. You want a teammate you can depend on to mitigate your losses.

Swiss Re Corporate Solutions understands the threats you’re facing. That’s why we’ve enlisted the very best partners to help you protect your business after a breach. Our on-call vendors are elite forensics firms, law firms, breach notification firms, and call centers, so you can rest easy when the worst happens.

Swiss Re Corporate Solutions means knowledge, experience, financial and global reach. Let our experts create customized solutions that are right for your business. Visit www.swissre.com/cyber.

Dan Reynolds is editor-in-chief of Risk & Insurance. He can be reached at [email protected]
Share this article:

Health Care Cyber Risk

Closing the Data Risk Gap

Health care risk managers may not be able to stop data attacks, but they can follow some basic strategies to minimize the impact. 
By: | October 15, 2015 • 8 min read

Within the past year, health care insurers Anthem, Premara, and CareFirst Blue Cross Blue Shield all fell victim to hackers, with the attack on Anthem garnering the most media attention.


In the Anthem case, hackers obtained names, birthdays, email addresses, Social Security numbers or medical identification numbers, addresses and employment data, including income, from a database that had information on 80 million people across 14 states.

The weak upside to the hack was that no credit card or actual medical information — such as claims, test results or diagnostic codes — were stolen.

But to many observers, it comes as no shock that data security within the health care industry is vulnerable.

“Health care companies today are facing unprecedented threat levels whilst many are still battling to implement some of the most fundamental IT security controls.” — Graeme Newman, chief innovation officer, CFC Underwriting

“Health care companies today are facing unprecedented threat levels whilst many are still battling to implement some of the most fundamental IT security controls,” said Graeme Newman, chief innovation officer at CFC Underwriting, a specialty lines underwriting agency based in London.

KPMG recently reported that health care organizations are at increased risk for cyber attacks because of the “richness and uniqueness of the information that health plans, doctors, hospitals, and other providers handle.”

Its report, “Health Care Cybersecurity Survey,” found that 81 percent of health care executives said their organizations were compromised by at least one malware, botnet or other cyber attack during the past two years.

Only half of the respondents felt adequately prepared to prevent attacks.

“The magnitude of the threat against health care information has grown exponentially, but the intention or spend in securing that information has not always followed,” said Michael Ebert, a KPMG partner and health care leader at the firm’s cyber practice.

Teamwork Needed

The problem for risk managers is they have options, but little real authority, to deal with cyber security issues.

“A risk manager has the power to affect change, yes — ensure it, no,” said Ryan Kalember, senior vice president, product marketing, at Proofpoint, a cloud-based security and compliance firm.

Anthony Giandomenico, senior security strategist, Fortinet

Anthony Giandomenico, senior security strategist, Fortinet

Anthony Giandomenico, senior security strategist with Fortinet, a cyber security provider in Sunnyvale, Calif., said that an overall risk-based approach is necessary to build in information security and protect data assets.

Today’s sophisticated attacks, the complexity of networks, the volume of attacks and the fact that security budgets are always shrinking mean that standard best practices for security controls are insufficient, he said.

“There are many vulnerabilities within an organization — the key is for the security and risk management teams to understand the true risk to the business and make those vulnerabilities top priorities to address,” Giandomenico said.

Without a risk-based approach, there may be misallocation of security budgets, and ultimately, the company suffers because too much effort and spending was focused on an area that had very little impact to the overall business, he said.

“This leaves the bigger risk impacts neglected, leaving the company less secure and more open to bigger impacts when breached,” Giandomenico said.

He said risk managers have a big part in this, but it’s up to the chief information security officers (CISOs) to work with risk managers to figure out how to interweave the security program into the company’s risk management program.

This is challenging for some CISOs who do not possess a strong business or risk management background.

Protected Health Information

In the typical organization, ensuring that health care records are properly secured is a matter of implementing many processes and technologies, depending on the myriad ways that protected health information (PHI) is actually used, both inside and outside electronic medical records systems.

“CISOs, let alone risk managers, are not typically empowered to ensure that all the right technologies are used and processes are implemented or followed, so it is imperative to collaborate across functions.Risk managers can play a key role in that,” Kalember said.

“CISOs, let alone risk managers, are not typically empowered to ensure that all the right technologies are used and processes are implemented or followed, so it is imperative to collaborate across functions.” — Ryan Kalember, senior vice president, product marketing, Proofpoint

He added that different PHI applications have different implications for risk, and risk managers should be aware of the proper technologies and processes to secure those applications.

For example, data masking and anonymization for group health care data are two protection strategies. However, he said, risk managers will typically have to work with their broader IT and IT security teams to ensure the appropriate technologies and processes are actually implemented.

The challenges are many, said CFC’s Newman.


The health care industry is riddled with legacy IT platforms, many of which were built years ago when security was not top of mind, he said. Furthermore, IT budgets are often restricted and gaining board approval for significant investments into information security is not an easy task.

“But fundamentally, it is important to remember that this is an industry where data security is not the primary purpose, which is saving lives and providing vital health care services,” Newman said.

Newman said risk management teams within health care rightly focus primarily on issues such as patient safety. At the same time, he noted, health care data is hugely valuable, adding that there is a thriving underground market for the resale of medical data and increasing levels of interest from state-sponsored hacking groups.

Cyber Policy Purchases

Newman said that more than 90 percent of the world’s cyber insurance is purchased in the U.S., but to date, cyber policies have been very generic — for example, a retailer typically buys exactly the same policy as a hospital.

“Fundamentally, this is not right,” he said. “There are many very specific differences in exposure and this is what our specialist product aims to address.”

Keeping IT security a core part of any selection of vendors or partners is also crucial, he said.

When it comes to information security, he said, most companies will only really take it seriously when they start to lose business because of it.

He recommended risk managers undertake regular audits of all suppliers as a key component within an overall risk management program.

“Most companies still don’t do the basics,” he said. “We see countless cases where patient data is stored on unencrypted laptops or portable memory sticks.” — Graeme Newman, chief innovation officer, CFC Underwriting

“Most companies still don’t do the basics,” he said. “We see countless cases where patient data is stored on unencrypted laptops or portable memory sticks.”

Losing these devices then results in serious financial loss, regulatory actions and significant reputational harm. In many cases, this can be mitigated by simply activating built-in encryption technology or installing one of the many third-party encryption technologies (at little to no cost).

Patch management is often neglected as well, he said.

Simply put, the vast majority of successful hacker attacks or malware outbreaks exploit known vulnerabilities. By patching systems on a regular basis and keeping applications up-to-date, these known vulnerabilities will be closed.

Risk managers also need to recognize that people generally are an organization’s biggest risk.

Data must be made available to employees to be useful, but all staff need to be made aware of the risks and trained on the steps that must be taken to ensure that data remains secure.

Third-Party Risks

Austin, Texas-based Michael Bruemmer, vice president, consumer protection, at Experian Data Breach Resolution, said that sharing data with third parties is definitely a serious concern when it comes to data security.

Michael Bruemmer, vice president, consumer protection, Experian Data Breach Resolution

Michael Bruemmer, vice president, consumer protection, Experian Data Breach Resolution

To Bruemmer, the good news is there are steps risk managers can take to proactively plan for such an incident, including requiring vendors to have the same security standards in place as their own in-house security policies. “The recent proliferation of data breaches is spurring more companies to update contracts with third-party vendors to hold them liable in the event of a data breach,” he said. “And, specific to the health care industry, HIPAA and HITECH laws require any third parties handling protected health information to be liable.”

Since data breaches are not always preventable, Bruemmer recommended several strategies, in addition to having a data breach response plan.

First and foremost, he said, make sure vendors and partners are protected by a cyber insurance policy because that will indicate a high level of preparedness. Companies should also ensure third-party risks are accounted for within their own cyber insurance policy.

“Ideally, risk managers will have ensured in advance that third-party partners — such as their insurers — are abiding by the same data protection standards and their contracts hold them liable for data lost during a breach,” he said.

Another strategy is to conduct frequent security training for employees, and have regular communication with regulators about expectations.

“While it may be out of a risk manager’s control that employee data is lost in a breach, they should be prepared for how to respond to this type of incident,” he said, noting that cyber incidents can range anywhere from an “Anthem-type” data breach to a compromised implantable medical device.

Whether the entire workforce or just a small group are affected, a data breach is not a good reflection on the company and poses risks for lawsuits and regulatory fines.


To respond effectively, the response plan should especially consider how to communicate with and protect employees.

For example, Bruemmer said, employees are typically more active and engaged compared to customers after a data breach, so that requires risk managers be prepared to account for a higher volume of requests in their call center and online forums.

They should also account for a potentially higher redemption rate of identity theft protection services.

“It is definitely possible for an employee to file a lawsuit against their employer if they are impacted by a data breach,” he said. “As with any data breach, risk managers can account for this by having legal counsel available as part of their incident response plan.”

Tom Starner is a freelance business writer and editor. He can be reached at [email protected]
Share this article:

Sponsored Content by CorVel

Telehealth: The Wait is Over

Telehealth delivers access to the work comp industry.
By: | November 2, 2015 • 5 min read


From Early Intervention To Immediate Intervention

Reducing medical lag times and initiating early intervention are some of the cornerstones to a successful claims management program. A key element in refining those metrics is improving access to appropriate care.

Telehealth is the use of electronic communications to facilitate interaction between a patient and a physician. With today’s technology and mass presence of mobile devices, injured workers can be connected to providers instantaneously via virtual visits. Early intervention offers time and cost saving benefits, and emerging technology presents the capability for immediate intervention.

Telehealth creates an opportunity to reduce overall claim duration by putting an injured worker in touch with a doctor including a prescription or referral to physical therapy when needed. On demand, secure and cost efficient, telehealth offers significant benefits to both payors and patients.

The Doctor Will See You Now

Major healthcare players like Aetna and Blue Cross Blue Shield are adding telehealth as part of their program standards. This comes as no surprise as multiple studies have found a correlation between improved outcomes and patients taking responsibility for their treatment with communications outside of the doctor’s office. CorVel has launched the new technology within the workers’ compensation industry as part of their service offering.

“Telehealth is an exciting enhancement for the Workers’ Compensation industry and our program. By piloting this new technology with CorVel, we hope to impact our program by streamlining communication and facilitating injured worker care more efficiently,” said one of CorVel’s clients.

SponsoredContent_Corvel“We expect to add convenience for the injured worker while significantly reducing lag times from the injury to initiating treatment. The goal is to continue to merge the ecosystems of providers, injured workers and payors.”

— David Lupinsky, Vice President, Medical Review Services, CorVel Corporation

As with all new solutions, there are some questions about telehealth. Regarding privacy concerns, telehealth is held to the same standards of HIPAA and all similar rules and regulations regarding health information technology and patients’ personal information. Telehealth offers secure, one on one interactions between the doctor and the injured worker, maintaining patient confidentiality.

The integrity of the patient-physician relationship often fuels debates against technology in healthcare. Conversely, telehealth may facilitate the undivided attention patients seek. In office physicians’ actual facetime with patients is continually decreasing, citing an average of eight minutes per patient, according to a 2013 New York Times article. Telehealth may offer an alternative.

Virtual visits last about 10 to 15 minutes, offering more one on one time with physicians than a standard visit. Patients also can physically participate in the physician examination. When consulting with a telehealth physician, the patient can enter their vital signs like heart rate, blood pressure, and temperature and follow physical cues from the doctor to help determine the diagnosis. This gives patients an active role in their treatment.

Additionally, a 2010 BioMed Central Health Services Research Report is helping to dispel any questions regarding telehealth quality of care, stating “91% of health outcomes were as good or better via telehealth.”

Care: On Demand

By leveraging technology, claims professionals can enhance an already proactive claims model. Mobile phones and tablets provide access anywhere an injured worker may be and break previous barriers set by after hours injuries, incidents occurring in rural areas, or being out of a familiar place (i.e. employees in the transportation industry).

With telehealth, CorVel eliminates travel and wait times. The injured worker meets virtually with an in-network physician via his or her computer, smart phone or tablet device.

As most injuries reported in workers’ compensation are musculoskeletal injuries – soft tissue injuries that may not need escalation – the industry can benefit from telehealth since many times the initial physician visit ends with either a pharmacy or physical therapy script.

In CorVel’s model, because all communication is conducted electronically, the physician receives the patient’s information transmitted from the triage nurse via email and/or electronic data feeds. This saves time and eliminates the patient having to sit in a crowded waiting room trying to fill out a form with information they may not know.

Through electronic correspondence, the physician will also be alerted that the injured worker is a workers’ compensation patient with the goal of returning to work, helping to dictate treatment just as it would for an in office doctor.

In the scope of workers’ compensation, active participation in telehealth examinations, accompanied by convenience, is beneficial for payors. As the physician understands return to work goals, they can ensure follow up care like physical therapy is channeled within the network and can also help determine modified duty and other means to assist the patient to return to work quickly.


Convenience Costs Less

Today, convenience can often be synonymous with costly. While it may be believed that an on demand, physician’s visit would cost more than seeing your regular physician; perceptions can be deceiving. One of the goals of telehealth is to provide quality care with convenience and a fair cost.

Telehealth virtual visits cost on average 30% less than brick and mortar doctor’s office visits, according to California state fee schedule. In addition, “health plans and employers see telehealth as a significant cost savings since as many as 10% of virtual visits replace emergency room visits which cost hundreds, if not thousands, of dollars for relatively minor complaints” according to a study by American Well.

“Telehealth is an exciting enhancement for the Workers’ Compensation industry and our program. By piloting this new technology with CorVel, we hope to impact our program by streamlining communication and facilitating injured worker care more efficiently,” said one of CorVel’s clients.

Benefits For All

Substantial evidence supports that better outcomes are produced the sooner an injured worker seeks care. Layered into CorVel’s proactive claims and medical management model, telehealth can upgrade early intervention to immediate intervention and is crucial for program success.

“We expect to add convenience for the injured worker while significantly reducing lag times from the injury to initiating treatment,” said David Lupinsky, Vice President, Medical Review Services.

“The goal is to continue to merge the ecosystems of providers, injured workers and payors.”

With a people first philosophy and an emphasis on immediacy, CorVel’s telehealth services reduce lag time and connect patients to convenient, quality care. It’s a win-win.

This article was produced by CorVel Corporation and not the Risk & Insurance® editorial team.

CorVel is a national provider of risk management solutions for employers, third party administrators, insurance companies and government agencies seeking to control costs and promote positive outcomes.
Share this article: