More than six years after a data breach that disclosed 2.81 million patients’ protected health information, Banner Health has agreed to pay $1.25 million to the U.S. government to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA), Campus Safety Magazine recently reported. The Arizona-based healthcare system also agreed to implement changes to better protect patient information.
“The precedents have been set for how the government is requiring companies to protect data, so this will not be the first time we see a higher penalty,” said Derek Kilmer, Associate Managing Director, Broker, Professional Liability, Burns & Wilcox, Detroit/Farmington Hills, Michigan. “The fines and penalties are definitely increasing as time goes on, especially as the regulatory bodies get caught up more on these cases in general.”
It is as important to have broad insurance coverage at a competitive price as it is to know what risk management services are offered by the carrier, what kind of claim response can be provided, and who is behind those services.
Recent reports show that the number of data breaches in the healthcare industry remains higher than pre-pandemic levels and that more patients are being affected per breach. This makes data security efforts and broad Cyber and Privacy Liability Insurance increasingly important for healthcare companies, said Karl Olson, Vice President, Professional & Management Liability Practice Leader, Burns & Wilcox Brokerage, San Francisco, California.
“The healthcare industry is a very large target because of the amount of data that they have, the sensitive nature of the data, and the number of endpoints or touchpoints to that data,” Olson said. “It is as important to have broad insurance coverage at a competitive price as it is to know what risk management services are offered by the carrier, what kind of claim response can be provided, and who is behind those services.”
Penalty could signal shift in regulatory activity
Banner Health’s resolution payment to the Department of Health and Human Services is not the only amount it has paid related to the 2016 cyberattack, which, according to reports from Fierce Healthcare, began on June 23, 2016, and lasted two weeks as hackers first accessed the health system’s network through its food service payment system before eventually hacking into patient data servers. Patients filed a class-action lawsuit after the breach, and in 2020, a federal judge gave final approval for an $8.9 million settlement, making it one of the industry’s largest data breach-related settlements, Health IT Security reported.
The new $1.25 million HIPAA violation settlement is somewhat out of the ordinary, Olson pointed out, as many government investigations into potential violations end in recommendations for the healthcare community versus large penalties.
“It is interesting that this is a HIPAA violation, which are separate regulations from cyber liability and state notification requirements,” he said. “We do not see that many HIPAA violation settlements. This may signal the regulators’ move towards financial damages rather than just investigations.”
We do not see that many HIPAA violation settlements. This may signal the regulators’ move towards financial damages rather than just investigations.
Another large settlement related to alleged HIPAA rule violations was announced in July 2022, when the Oklahoma State University Center for Health Services paid $875,000 to settle a HIPAA violation claim from the Office of Civil Rights after a 2018 data breach that leaked information on almost 280,000 patients, Healthcare Dive reported.
“The regulators’ approach has often been to assist and educate the healthcare community on best practices,” Olson said, noting that recent settlements “may trigger further activity for the pursuit of financial damages.”
A healthcare facility’s Cyber and Privacy Liability Insurance could cover these types of settlements, along with other regulatory fines, Kilmer said. “Regulatory fines and penalties from a majority of government bodies can be covered on a cyber policy up to the policy limit,” he said. “That can be inclusive of HIPAA fines and penalties.”
Regulatory fines and penalties from a majority of government bodies can be covered on a cyber policy up to the policy limit.
The policy can also provide data breach notification and response services, which are critical for healthcare companies as they must comply with various federal and state regulations. According to Olson, an important part of responding to a cyber event in this sector is “notifying the proper authorities.”
“Cyber coverages are multifaceted so that you have the proactive risk management and the claim response, including forensics, that happens immediately when something is discovered. In parallel to that, you have the legal response that assists in notifying the proper authorities, which for healthcare entities includes the Department of Health and Human Services,” Olson said. “In addition to the state laws that apply for data breach response, you also have federal-level HIPAA requirements. I do not think everybody considers that.”
Healthcare companies uniquely vulnerable
According to a HIPAA Journal report, the Office of Civil Rights received 5,150 healthcare data breach reports between 2009 and 2022, exposing more than 382 million healthcare records. Data breaches in the healthcare industry are also a significant concern in Canada, where the country’s Office of the Privacy Commissioner in September of 2022 called for strengthened digital health communication infrastructure to better secure patient data and increase trust in digital healthcare.
Patient health records often contain Social Security numbers, addresses, payment information and more, making health organizations a prime target for cybercriminals, Kilmer said. “Our health records just contain more pertinent information on us as individuals than what the standard retail store, for example, might have,” he said. “That is why healthcare breaches typically cost more per record than other industries.”
These breaches can come from a variety of sources. A Feb. 6 report from Reuters highlighted three recent data breaches affecting healthcare facilities, with sources including employees, third-party vendor tools, and cybercriminals. According to Olson, even a single visit to a medical clinic can include multiple information systems and potential opportunities for data to be exposed.
“That clinic will interact with your primary care doctor, whatever system they are on will interact with whatever system provides your health benefits, and so you have the potential for access by multiple authorized parties, which just opens up the amount of data that can be available to the wrong individuals,” Olson said.
As more devices are connected on health system networks — from ventilators and radiology equipment to patient tracking wristbands — the risks may increase, Kilmer added. “All of that helps the functionality of the hospital but it can also heighten the cyber exposure,” he said. “They are all possible entry points for cybercriminals.”
Bodily injury claims possible after breach-related delays in care
Beyond breach response expenses, regulatory penalties and lawsuit settlements, Cyber and Privacy Liability Insurance can also cover business interruption costs in some cases, as well as bodily injury claims related to the breach. When healthcare facilities lose access to their online systems, they could need to temporarily shut down operations and delay appointments. In early February, a cyberattack forced Tallahassee Memorial HealthCare in Florida to divert patients to other facilities and cancel non-emergency procedures, The Record reported on Feb. 3.
“[Cyberattacks] can create challenges in providing medical care and certainly delays in providing immediate care in some situations,” Olson said. “If a network goes down and a patient cannot be seen and that creates further harm to that patient’s condition due to lack of access to a facility because their network was not operating, there can be coverage for those types of allegations as well.”
These allegations are not uncommon, Kilmer said, and underscore the need for high enough liability limits on Cyber and Privacy Liability Insurance. “That happens pretty frequently,” Kilmer said. “If a surgery has to be canceled, there is lost revenue and there is the possibility of bodily injury. Healthcare companies definitely want to make sure they are entertaining enough limits for a total loss.”
Whether diverting patients to other hospitals or facilities, healthcare systems should have procedures in place so that patient care is not impacted, Olson said. “Just because a network goes down does not mean it has to create some really dangerous situation for a patient population,” he said. Without those safeguards in place, “It can go from being an inconvenience to actually something dangerous for individuals.”
This is not going to be the largest fine that we are going to see, and it does happen after the fact — in this case, more than six years. You will get caught with a fine, it just depends on when.
Fortunately, healthcare industry leaders tend to be more aware of cyber risks today than they were in the past, Olson said. Companies are also more likely to have adopted regular employee training, multi-factor authentication, endpoint detection, onsite backups and other data security strategies. “There is certainly greater awareness and much better adoption of purchasing cyber coverage,” he said.
Now is “a good time to explore” coverage options, Kilmer added. “In the cyber industry, and healthcare in general, the market is not softening from a price standpoint but it is a better time now for a buyer than it was this time last year, as long as you have the cyber controls in place,” he said.
In light of the recent Banner Health settlement and other large regulatory penalties, a key takeaway is that “this is not going to be the largest fine that we are going to see, and it does happen after the fact — in this case, more than six years,” Kilmer said. “You will get caught with a fine, it just depends on when.”