According to Politico, Cyber criminals are actively targeting healthcare providers to access medical records. The patient data is sold, for as much as $500 per record, to other criminals who may then procure prescription drugs for resale, steal an identity, file fraudulent insurance claims, or obtain health care services. Verifying the frequency of successful offensives is complicated by the number of ways in which stolen medical data can be abused, and the fact that many cases of medical identity theft are unreported or undiscovered.
Of the discoverable attacks, healthcare organizations participating in Ponemon’s 2014 patient data study reported a staggering 100 percent increase in the number of targeted cyber crime assaults over the past four years. Loss or theft of computer system components and mobile devices remains the leading cause of most healthcare privacy breaches, followed by unintentional employee error. With 90 percent of the healthcare organizations studied reporting at least one security breach, the high frequency of incidents is more than problematic. The industry is clearly struggling to implement data security policies, procedures, and controls, and is doing so in the face of increasing regulatory enforcement efforts by the U.S. Department of Health and Human Services Office of Civil Rights (HSS OCR).
The HSS OCR has responded to the frequency of healthcare security breaches by increasing enforcement efforts. The HSS OCR enforces the Privacy, Security, and Breach Notification Rules of the Health Insurance Portability and Accountability Act (HIPAA) according to the updated security and privacy protections contained in the Health Information Technology for Economic and Clinical Health Act (HITECH). The HSS OCR has the authority to investigate and penalize healthcare organizations for failing to meet security and privacy requirements, imposing regulatory penalties of $50,000 or more per violation with an annual cap of $1,500,000 for multiple violations of the same Privacy Rule requirement. In less than six months, the HSS OCR has reached six notable HIPAA security breach settlements, or Resolution Agreements:
- June 23, 2014 – $800,000 – Parkview Health Systems Inc. – Records Affected: 8,000
Improper disposal of physical medical records
- May 7, 2014 – $3,300,000 – New York Presbyterian – Records Affected: 6,800
Data Breach, improper security policies, procedures and controls
- May 7, 2014 – $1,500,000 – Columbia University – Records Affected: Included in NY Pres.
Data Breach, improper security policies, procedures and controls
- April 21, 2014 – $1,725,220 – Concentra Medical – Records Affected: 870 Initial Report
Unencrypted laptop theft, improper security policies, procedures and controls
- April 11, 2014 – $250,000 – QCA Health Plan, Inc. – Records Affected: 148
Unencrypted laptop theft, improper security policies, procedures and controls
- March 7, 2014 – $215,000 – Skagit County Health – Records Affected: 1,581
Data Breach, improper staff training, policies, procedures and controls
Cyber Liability Insurance carriers categorize healthcare entities as higher risk due to the frequency and severity of their security breach losses. However, with breach costs of over $188 per record (Ponemon), Privacy and Data Security Insurance coverage premiums remain a bargain. Privacy and Data Security Insurance coverage, or Cyber Liability Insurance, is central for any healthcare industry risk management program. For healthcare providers in particular, expanded coverage for non-digital privacy breaches is essential along with broad coverage for regulatory actions, fines and penalties.
INSUREtrust.com, LLC is a nationwide wholesale insurance brokerage specializing in Cyber Liability Insurance and Data Security Risk Management. Since 1997, INSUREtrust has focused on providing healthcare entities with extended insurance coverages to mitigate security and privacy risks, as well as proactive strategies to minimize the frequency of loss.