Two patients are pursuing class-action status for their lawsuits against a Colonie, New York health care company and its accounting firm over a 2019 data breach that reportedly exposed the sensitive information of 170,000 patients.
The lawsuits allege BST & Co. CPAs, the accounting firm for Community Care Physicians, experienced a ransomware attack in December 2019 and failed to disclose the incident to affected patients for more than two months.
The patients claim they face significant and long-lasting impacts, including persistent anxiety and future expenses.
“The impact of a breach like this can be far-reaching,” said Nathan Rose, Senior Underwriter and Business Development Specialist, Burns & Wilcox, Vancouver, British Columbia.
Patients may not trust a health care facility going forward if they feel their data is not being properly protected.
The incident, while smaller than data breaches in recent years at Marriott and Equifax that involved millions of users, serves as a reminder that companies of all sizes need a robust digital security plan that includes prevention, detection and Cyber and Privacy Insurance—especially during the COVID-19 crisis.
“Given the sensitive nature of the information that was leaked, and the allegations that proper protocols were not followed, it is a significant event,” said Erica Rangel, Broker, Professional Liability, Burns & Wilcox, Chicago, Illinois. “Patients may not trust a health care facility going forward if they feel their data is not being properly protected.”
Cyberattacks up amid COVID-19 crisis, adding to disruption and expense
While cyberattacks can occur at any time, they have become more prevalent since the start of the coronavirus pandemic. The U.S. Federal Bureau of Investigation reported a 400 percent spike in cybercrime since March and in April the World Health Organization warned against a “dramatic increase” in cyberattacks and email scams.
In 2018 alone, Internet-enabled theft, fraud and exploitation caused $2.7 billion in financial losses and more than 900 complaints sent to the FBI’s Internet Crime Complaint Center each day, on average. In Canada, 21 percent of businesses were impacted by cybersecurity incidents and spent an average of $16,000 to recover from the most significant attacks in 2017.
In some sectors the average cost to recover from cybersecurity breaches is even more substantial. In 2017, Canadian pipeline transportation businesses spent an average $131,000 per breach recovery, while banking institutions spent an average of $87,000. Without Cyber and Privacy Insurance, the costs of recovering from a breach could be crippling for a business of any size.
“The costs associated with an investigation, the loss of hardware and software, business interruption, reputational damage and fines far outweigh an investment to harden cyber risk,” said Matthew Lefchik, Director, Cyber Risk Management, Node International, Farmington Hills, Michigan. “If your systems are shut down and you cannot sell goods or provide services, that impacts your business. If other companies do not want to continue to work with you, that is reputational damage. The cumulative cost is much greater than that of security controls to minimize your risk.”
When a ransomware attack compromised some of Honda’s facilities on June 9, it temporarily forced the closure of the automaker’s plants in Ohio and Turkey. “Operational disruption is now the biggest cyber risk companies face,” Rose added. “If a breach occurs, it is as damaging as a fire, flood or any other type of tangible adverse event your company can experience.”
Risk management essential to cybersecurity
The lawsuit against Community Care Physicians alleges the company failed to train its employees in basic cybersecurity protocols. “Protection against cyberattacks starts with individual employees first and cybersecurity measures second,” said Rose. “Companies need educated individuals who are actively trying to prevent breaches.”
A cybersecurity firm recently uncovered at least 211 “malicious or fake” Google Chrome extensions—downloaded more than 32 million times—used to spy on users by taking screenshots, stealing login credentials and collecting keystroke data. While Google removed 106 extensions capable of collecting sensitive user data, the report from Awake Security details a massive campaign that gained a “persistent foothold” in sectors from oil and gas to retail and higher education.
“End users should be extremely cautious about what they are downloading,” Rangel explained, pointing out that businesses may use software extensions for a variety of reasons. “There are so many extensions and apps that are intended to make our lives easier, but that does not mean all of them are 100 percent legitimate. It is very easy for a hacker to make something look like it is from a reputable organization when it is not.”
Training employees to be aware of these cyber threats is one of the risk management tools typically included as part of a Cyber and Privacy Insurance policy. “Not only does Cyber and Privacy Insurance help mitigate the cost of recovering from a breach, it provides someone you can call as soon as a breach occurs,” Rangel said. “The insurance carrier can help companies put processes and policies in place so that they are in a better position overall to prevent breaches.”
Assessing a company’s vulnerabilities on a regular basis is essential, Lefchik added. “Running assessments alerts you to issues on the back end with your data and compliance,” he said. Employees, meanwhile, should receive training on their digital footprint. “If your login credentials or other personal information are exposed, that could put your own privacy or your company’s data at risk,” he said.
Aim for layers of protection
While cyberattacks are increasingly in the news, the threat they pose is often underestimated. In one recent survey, over 70 percent of Americans said they were not concerned about data security while working from home.
Many business leaders mistakenly believe that if they invest in security controls, they do not need Cyber and Privacy Insurance. They need both to effectively minimize overall risk exposure.
Small companies, which represent 43 percent of cyberattacks, are particularly at risk because they may lack the security infrastructure of larger companies. “While smaller companies are not always looking at the same risks as bigger companies, both need Cyber and Privacy Insurance protection,” said Rose.
Businesses should aim to build cybersecurity “in layers,” according to Rose. Cyber and Privacy Insurance is one of those layers. Other layers include encryption, the use of a virtual private network, and frequent updates to protocols as risks evolve. “Threats, especially where cyber is concerned, are constantly evolving and companies must keep up,” he said.
Directors & Officers Insurance (D&O) may be an additional layer needed by some companies, Rangel noted. The accounting firm for Community Care Physicians is the entity that lawsuits allege exposed patient data in the breach. In such cases, she explained, affected entities can file claims against the leadership of third-party businesses for not protecting their data.
In addition to cybersecurity awareness training, companies should utilize a monitoring and detection program to identify breaches more quickly, Lefchik said. By working with a company that specializes in cybersecurity, businesses can benefit from a team of experts to spearhead consulting, risk management, privacy, legal defense and endpoint protection and monitoring.
“Many business leaders mistakenly believe that if they invest in security controls, they do not need Cyber and Privacy Insurance. They need both to effectively minimize overall risk exposure,” Lefchik said. “What was adequate protection in 2019 and 2020 may not be sufficient in 2021.”