By DAN REYNOLDS, senior editor of Risk & Insurance®
The theft of a laptop containing about 21,000 patient records from a hospital in Philadelphia in June provided ample proof of the residual risks presented in healthcare network security.
The June 14 theft, which was publicly reported on July 23, was of a personal unencrypted laptop, the use of which to store patient records was in violation of Thomas Jefferson University Hospital policy.
This was a case in which the hospital had a policy against using personal, unencrypted computers to store patient data, but the employee violated it anyway.
"At the end of the day, there is nothing that an entity can do to protect themselves 100 percent," said Jim Whetstone, a Chicago-based senior vice president for technology errors-and-omissions with Hiscox.
New federal guidelines require any loss of unencrypted data involving more than 500 people to be publicly reported and posted. So now we're talking about substantial reputational risk at play here as well.
Online records from the U.S. Department of Health and Human Services reveal that as of Aug. 4, 2010, there were 127 instances of lost healthcare data in losses that involved more than 500 patients, amounting to more than 5 million records in total.
Other large healthcare data losses this year include the disappearance of 344,759 records from New York-based Affinity Health Plan Inc., which was posted to the HHS website on April 27, 2010.
A loss from Iron Mountain Data Products of more than 800,000 records from patients at South Shore Hospital in Weymouth, Mass., was posted to the HHS website on July 21.
Insurers are going after this network security business like never before, according to Sarah Stephens, a Chicago-based associate vice president in Aon's Financial Services Group.
"It is correct to say that there is a huge appetite in the insurance market right now to write this kind of network security and privacy liability coverage," Stephens said.
"It seems additional insurers are entering this space monthly, if not weekly," Hiscox's Whetstone said.
So, as in many things in this business, the combination of a soft market and fervent competition for underwriting a growing exposure could lead to a bit of mayhem before the dust settles. Some insurers may be keen to underwrite the risk because it's a growing area, but at the same time might not have much experience in handling these types of claims.
For their part, Whetstone and Stephens caution risk managers to study their insurers carefully and to choose an underwriter who has plenty of depth of experience in handling these claims.
Even if the lost or stolen data isn't used inappropriately, there are going to be plentiful notification costs for healthcare providers and those in other industries who lose data if the computer was unencrypted.
According to Stephens, adept insurers are learning to save costs for themselves and their clients by taking a panel approach to enlisting an array of post-breach services such as forensics, legal advice and notification costs. And those costs can be jarring.
Blue Cross Blue Shield of Tennessee has spent more than $7 million on forensics and notifications after the theft of 57 of its hard drives in October 2009, according to January 2010, public statements.
In 2009, the U.S. Department of Veteran Affairs agreed to pay $20 million to settle a class-action lawsuit after a data breach made more than 26 million veterans vulnerable to identity theft.
Whetstone said many companies are debating whether to store their records in-house or outsource the storage duties and the risk. Either way, it is a growing business for carriers that, like Hiscox, are insuring the healthcare providers and the outside vendors that are housing the data.
August 10, 2010
Copyright 2010© LRP Publications