Scenario 1: Network Asset Protection/Cyber Extortion
In late July 2016, employees of a hospital discovered that their email accounts were not accessible. The hospital’s IT department investigated and discovered that a ransomware attack infected 70 servers and 600 workstations. The hospital had to close operations for 2 business days and suffered various losses in relation to the event.
Cyber Insurance covered:
- IT Forensic Consultants – Consultants were retained to immediately address the ransomware attack, secure data, investigate if any patient health information was compromised, and rebuild the hospital’s network.
- Business Interruption and Income Loss – Several surgeries had to be cancelled resulting in loss of income.
- Data Recovery – Several employees had to work overtime to recreate lost data from back-ups.
- Ransom Amount – The Hospital paid the ransom demand to restore system access.
IT Expenses: $417,000
Business Interruption and Income Loss Expenses: $65,000
Data Recovery Expenses: $76,000
Ransom Expenses: $9,350
Total Expenses: $567,350
Scenario 2: Privacy Regulatory Defense and Penalties
The laptop belonging to an employee of a medical research institute was stolen. The laptop, containing the electronic protected health information (ePHI) of approximately 296,000 patients and research participants, was not encrypted. The ePHI included names, dates of birth, addresses, social security numbers, diagnoses, and laboratory results. Given the nature of the information stored on the laptop and the fact that the laptop was not encrypted, the incident was determined to be a reportable breach under HIPAA. The institute reported the incident to the Department of Health and Human Services (DHHS) and the Office for Civil Rights (OCR). After a full investigation, the OCR concluded that the institute’s security policy did not comply with the HIPAA Security Rule in that it was limited in scope, incomplete, and insufficient to address potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the institute. The OCR imposed civil fines and penalties against the clinic. Counsel was ultimately successful in helping the insured achieve a settlement with the OCR which reduced the fines and penalties and included a corrective action plan.
Cyber insurance covered the legal expenses incurred in responding to the OCR’s investigation and the OCR settlement.
Defense Costs: $100,000
OCR Settlement: $1,500,000
Total Expenses: $1,600,000
Scenario 3: Privacy Breach Response Costs, Patient Notification Expenses, and Patient Support
and Credit Monitoring Expenses
A clinic received notice from an IT Security company that the PHI of 88 patients was found on the “Dark
Web”, which is used for illegal activity by criminals. Shortly after, the Insured received an anonymous email
from a hacker calling himself “The Dark Overlord” claiming to be in possession of all the clinic’s information
Cyber insurance covered:
- IT Forensic Consultants – Determined that the PHI was likely accessed by a hacker gaining access to an employee username and password.
- Breach Coach Counsel – Determined there was a high probability that all records were in fact obtained by “The Dark Overlord”, requiring notification to all 544,000 patients
- PR Firm – Assisted the clinic in developing a crisis management plan to mitigate reputational harm resulting from the incident.
- Notification Expenses and Credit Monitoring – 544,000 patients were notified and offered credit monitoring.
IT Expenses: $82,175
Breach Coach Counsel Expenses: $66,909
PR Expenses: $83,516
Notification/Credit Monitoring Expenses: $817,400
Total Expenses: $1,050,000