Scenario 2: Privacy Regulatory Defense and Penalties
The laptop belonging to an employee of a medical research institute was stolen. The laptop, containing the electronic protected health information (ePHI) of approximately 296,000 patients and research participants, was not encrypted. The ePHI included names, dates of birth, addresses, social security numbers, diagnoses, and laboratory results. Given the nature of the information stored on the laptop and the fact that the laptop was not encrypted, the incident was determined to be a reportable breach under HIPAA. The institute reported the incident to the Department of Health and Human Services (DHHS) and the Office for Civil Rights (OCR). After a full investigation, the OCR concluded that the institute's security policy did not comply with the HIPAA Security Rule in that it was limited in scope, incomplete, and insufficient to address potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the institute. The OCR imposed civil fines and penalties against the clinic. Counsel was ultimately successful in helping the insured achieve a settlement with the OCR which reduced the fines and penalties and included a corrective action plan.
Cyber insurance covered the legal expenses incurred in responding to the OCR's investigation and the OCR settlement.