[BreachExchange] Paying for a HIPAA Breach: Cyber Insurance Covering

Audrey McNeil audrey at riskbasedsecurity.com
Tue Jan 23 19:22:54 EST 2018


A $2.3 million HIPAA settlement by 21st Century Oncology from mid-December
2017 seemed to mostly fly under the radar. A combination of events seems to
have helped push the low profile, namely lack of an announcement by the
Office for Civil Rights and an unfamiliar venue for approving the
settlement, Bankruptcy Court. Instead of an OCR press release, the
settlement was buried in a Department of Justice press release, since 21st
Century Oncology also settled major fraud allegations. As a result, the
fraud took the headlines.

The $2.3 million price tag on the settlement is eye-catching by itself to a
large degree. It is a significant amount of money and ranks as one of the
higher settlements imposed by OCR. Turning to the facts, 21st Century
Oncology learned of the data breach after being notified by the FBI. After
learning about the breach, 21st Century Oncology determined that is servers
had been compromised for over a month with potential 2,213,957 records
impacted. The information included sensitive elements including names,
social security numbers, diagnoses, and insurance information.

As any reader of an OCR settlement should know by now though, the internal
investigation as to the extent of the breach was not the end of the story.
Once OCR came in to take a look around, it found a myriad of violations
beyond the impermissible disclosure, including (i) failed to do the
necessary risk analysis (a common failing point), (ii) failed to implement
all necessary security measures, (iii) failed to regularly review records
of information security measures to determine if the network was remaining
secure, and (iv) provided PHI to a vendor without executing a business
associate agreement. As the list of violations demonstrates, 21st Century
Oncology hit some of the major pain points that drives OCR to impose
significant fines.

The setup so far is not much different than any number of previous
breaches. However, the most interesting part of the settlement is not
actually the terms of the settlement with OCR. Instead, the interesting
part is the fact that 21st Century Oncology’s insurer, Beazley, assumed the
obligation for payment of the fine and payment of 21st Century Oncology’s
defense fees. Without having any of the facts from behind the scenes, the
apparent willingness of Beazley to assume the costs associated with the
data breach is important to show that a cyber insurers would fulfill its

The cyber insurance field is in a period of settling at the moment. No
consistent standard exists in terms of how cyber insurance policies are
written, not the least of which what matters will be covered. Some policies
will cover breach response, some will only cover aspects of the response,
some will cover penalties, and any other number of permutations when it
comes to the scope of coverage. Despite the broad range of what coverage
could potentially be, an area of contention has been actually paying out
when a breach occurs. That is where the real money comes in and when means
may be sought to deny coverage.

As noted above, without having the benefit of the background, the order
from the Bankruptcy Court approving the settlement with OCR and relief,
specifically stated that Beazley, as insurer, would take all actions
necessary to effectuate the settlement. Such apparent ease of reaching a
settlement offers a glimmer of hope going forward. If insurers will cover
costs associated with a breach, including fines and penalties imposed by
the government, then cyber insurance may begin to convey real meaning.

As costs and penalties begin to be covered, the next question will be how
the cost of such insurance changes and the nature of the terms. As
indicated, it is an improvement for penalties to be covered by insurance,
but there will still be a number of issues to work out. That will require
carefully reading policies as well as all riders and negotiating with
insurers for desired coverage.

As is usually the case with a settlement, the 21st Century Oncology
settlement carried more import than initially apparent. Maturity of cyber
insurance will be important given the increasing number of data breaches
and corresponding monetary implications. While it would be preferable to
not have this particular market become so experienced, the reality is that
such development is necessary and will help all sides.

Post-publication Update: After initially publishing this blog post the
morning of December 28, 2017, OCR subsequently issued a press release that
same afternoon announcing the 21st Century Oncology settlement. The delay
is curious since the story has been well told by the time of release. The
delay is also interesting because $2.3 million is a hefty fine, in line
with the head of OCR’s desire to seek eye-catching numbers.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180123/04d478e0/attachment.html>

More information about the BreachExchange mailing list