The ransomware that invaded the server presented like a virus, and a limited number of documents were encrypted on one server. Once the attack was discovered, the physician practice reached out to their IT service provider who took the system down immediately, deleted the virus and began to restore the system from a backup. However, in doing so, the IT vendor had not determined if patient data was actually exposed.
[First Lesson Learned: An IT provider experienced with healthcare data breaches likely would have quarantined the virus instead of deleting it, in order to determine if patient data was actually breached. Regardless, after contacting HUB, they were immediately connected with their carrier to file a claim, which could have been avoided if the IT vendor had quarantined the virus for forensic evaluation. Make sure your IT provider is up-to-date on breach management requirements].
The practice reached out to HUB after their IT service provider brought the system back up to identify if they had insurance to cover their business interruption for the days they were disrupted and couldn’t conduct regular business due to the system shut-down.
The claim was reported to the cyber carrier as well as the medical malpractice carrier who had an automatic, no-charge low-limit endorsement as part of their policy. Having two carriers involved made the claims management and coordination more difficult causing unnecessary delays.
[Second Lesson Learned: A small cyber endorsement was attached to the firm’s medical malpractice policy, which was automatic. These endorsements tend to be included and often difficult or not able to be removed. In this case, the claim rep. for the medical malpractice carrier had limited experience handling cyber breaches, but was designated as lead by the cyber carrier. The delays led to frustrations for the practice. HUB jumped in and changed the primary claim rep. to the more experienced cyber carrier. Practices should work with their current broker to coordinate between robust coverages and throw-in endorsements to maximize the outcome before a claim occurs. Since throw-in coverages are difficult to amend or remove, other creative approaches can be applied. Additionally, limits should be benchmarked and evaluated process and if possible policies should be stacked to maximize protection. While cyber claims can be large and not treated lightly, free endorsements should be looked at critically.]
The practice also contacted a local attorney for counsel. The local attorney’s approach concerned the practice as they appeared to lack the ability to coach the practice through the complex claim process or provide counsel on federal or state notification guidelines.
[Third Lesson Learned: HUB immediately worked with the claims reps and other specialists to identify an experienced Breach Coach Attorney who replaced the local attorney. The result was a streamlined and coordinated approach including more experienced counsel from a specialist. HUB also recommended a cyber response plan for future potential incidents to identify a pre-approved, experienced coach and protocol.]
In evaluating the circumstances, the coach determined that HIPAA guidelines require that in the event of a ransomware attack, the responsibility falls on the covered entity to report the breach if patient information may have been compromised. The coach recommended a complete systems forensic evaluation. Because the virus had been destroyed by the IT vendor without a copy being quarantined, this evaluation could not unequivocally rule out that a breach had occurred, despite the practice suspecting there was no breach and having no evidence that it had occurred. The coach recommended the medical practice voluntarily notify The Office of Civil Rights (OCR), which oversees healthcare breach claims as well as over 100,000 patients in their system of the failed ransomware attack as a precaution so they did.
[Fourth Lesson Learned: Medical Practices should be aware of their responsibilities regarding ransomware attacks and obligations under HIPAA. They should then set up a process with their insurance broker, select a breach coach and have a plan in place with their IT vendor to follow a protocol to avoid unnecessary work and costs should a ransomware, or even a botched ransomware attack, happen.]
The ransomware claim ultimately cost over $400,000 once the event was completed, including patient notifications, free credit monitoring services, IT forensics and legal fees. Together, the stand-alone policy and the cyber insurance endorsement covered the costs above the deductible. However, the surprising number of patients in their system, for a group of nine physicians, greatly impacted the cost of the incident.
[Fifth Lesson Learned: Having a plan in place prior to a claim would certainly reduce the costs and frustrations after an event. Practices also need to be aware of how many medical records they have and where they are stored. And, they need to work with their security teams to minimize exposures to that data.]
Today, the medical practice has an established process with HUB, their experienced breach coach, IT vendor and cyber insurance carriers. We hope the additional steps to ensure they do not fall victim to another ransomware attack or data breach, training of their doctors and staff on best practices (including using stronger computer passwords) will greatly reduce the probability of a future reoccurrence.
A cyber breach without the right coverage can put a medical practice out of business. Contact a HUB Cyber Insurance specialist and ensure the right cyber coverage is in place!