How cyber insurance companies are reacting to breach expenses
A $2.3 million HIPAA settlement by 21st Century Oncology from mid-December 2017 seemed to mostly fly under the radar.
A combination of events seems to have helped push the low profile, namely the lack of a timely announcement by the Office for Civil Rights and an unfamiliar venue for approving the settlement, Bankruptcy Court. The OCR issued its press release on December 28, after the settlement was buried in a Department of Justice press release, since 21st Century Oncology also settled major fraud allegations. As a result, the fraud charges took the headlines.
The $2.3 million price tag on the settlement is eye-catching by itself to a large degree. It is a significant amount of money and ranks as one of the higher settlements imposed by OCR. Turning to the facts, 21st Century Oncology learned of the data breach after being notified by the FBI. After learning about the breach, 21st Century Oncology determined that is servers had been compromised for more than a month with potential 2,213,957 records impacted. The information included sensitive elements including names, Social Security numbers, diagnoses and insurance information.
As any reader of an OCR settlement should know by now, though, the internal investigation as to the extent of the breach was not the end of the story. Once OCR came in to take a look around, it found myriad violations beyond the impermissible disclosure. OCR contends that 21st Century Oncology:
- Failed to do the necessary risk analysis (a common failing point).
- Failed to implement all necessary security measures.
- Failed to regularly review records of information security measures to determine if the network was remaining secure.
- Provided PHI to a vendor without executing a business associate agreement.
As the list of violations demonstrates, 21st Century Oncology hit some of the major pain points that drives OCR to impose significant fines.
The provider’s problems so far are not much different than any number of previous breaches. However, the most interesting part of the settlement is not actually the terms of the settlement with OCR. Instead, the interesting part is the fact that 21st Century Oncology’s insurer, Beazley, assumed the obligation for payment of the fine and payment of 21st Century Oncology’s defense fees. Without having any of the facts from behind the scenes, the apparent willingness of Beazley to assume the costs associated with the data breach is important to show that a cyber insurers would fulfill its obligations.
The cyber insurance field appears to be willing to settle with claimants at the moment. No consistent standard exists in terms of how cyber insurance policies are written, not the least of which what types of liability will be covered. Some policies will cover breach response; some will only cover aspects of the response; some will cover penalties; and some will cover any other number of permutations when it comes to the scope of coverage. Despite the broad range of what coverage could potentially be, an area of contention has been actually paying out when a breach occurs. That is where the real money comes in and what means may be sought to deny coverage.
As noted above, without having the benefit of the background, the order from the Bankruptcy Court approving the settlement with OCR and relief, specifically stated that Beazley, as insurer, would take all actions necessary to effectuate the settlement. Such apparent ease of reaching a settlement offers a glimmer of hope going forward. If insurers will cover costs associated with a breach, including fines and penalties imposed by the government, then cyber insurance may begin to convey real meaning.
As costs and penalties begin to be covered, the next question will be how the cost of such insurance changes and the nature of the terms. As indicated, it is an improvement for penalties to be covered by insurance, but there will still be a number of issues to work out. That will require carefully reading policies as well as all riders and negotiating with insurers for desired coverage.
As is usually the case with a settlement, the 21st Century Oncology settlement carried more significance than initially apparent. Maturity of cyber insurance will be important given the increasing number of data breaches and corresponding monetary implications. While it would be preferable to not have this particular market become so experienced, the reality is that such development is necessary and will help all sides.