Skip to Main Content

ISMIE Mutual’s Cyber-Liability Coverage

Friday, July 1, 2011

Why the Need For Cyber-Liability Coverage?

Physicians need cyber-liability coverage to protect against the threat of:

  • Unauthorized Disclosure of patient health information and patient identifiers
  • Failure of computer security to prevent a system breach
  • Regulatory actions by the government arising out of unauthorized disclosure and/or computer security breaches

Cyber insurance coverage also provides peace of mind for patients. In the event of an unauthorized disclosure of security breach, patients will be offered TransUnion’s Interactive 3 in 1 credit monitoring at no cost, for up to 12 months.

This new endorsement is provided to ISMIE policyholders through a partnership with Beazley Syndicate, a leader in cyber-liability protection for physicians, physician groups, hospitals and other health care organizations. Beazley is a participant in the Lloyd’s of London market and also underwrites business in Europe, North America and Asia.

Security Breaches: Real-Life Examples

Increased use of electronic medical records by physicians and other health care professionals increases the likelihood of improper access to medical records, stolen laptops and hard drives and personal information being publicly exposed.

Example 1: An insurance company employee’s personal laptop was stolen from the employee’s car. The laptop contained between 800,000-850,000 physician records and included tax identification numbers (including social security numbers) and other physician identifiers. The employee had improperly downloaded this information onto a person laptop in violation of company protocols.

Example 2: Many physicians and physician groups utilize independent billing services for billing and collection of professional fees. In the course of providing these services to a group, a billing office was burglarized and a hard drive containing approximately 180,000 patient records was stolen. These patient records contained a number of patient identifiers including social security and driver’s license numbers.

Coverage provided under the Cyber-Liability Endorsement consists of three parts:

A. Information Security and Privacy Liability provides protection to the policyholder for any claim that arises because of violation of a privacy law. This is third-party liability protection in the event the policyholder is sued for any of the following acts (or failures) such as:

  • Unauthorized disclosure of personally identifiable non-public
  • information (social security numbers, debit or credit card numbers, personal identification numbers (PINs), driver’s license number, etc).
  • Failure of computer security to prevent a security breach;
  • Policyholder’s failure to disclose either 1 or 2 in violation of a breach notice law;
  • Failure to comply with a privacy policy;
  • Failure to administer an identity theft program.

B. Privacy Breach Response Servicesare services that will be provided to the policyholder and the policyholder’s patients in the event of an unauthorized disclosure or security breach (noted above in 1 or 2). The services specific to the policyholder include:

  • Any forensic investigation by a computer expert to determine the extent of any security breach;
  • Any attorney fees to determine the applicability of any breach notice and the appropriate response required;
  • Required notification to affected individuals because of any breach notice law.

The services specific to the policyholder’s patients are intended to mitigate any concerns and adverse consequences that patients may experience when their personal data has apparently become public.

The primary service for patients who have received notification because of a breach law is TransUnion Interactive 3 in 1. This “credit file monitoring program” is offered to notified patients at no cost for a period of 12 months and includes the following features:

  • Upon enrollment, a one-time, on-line delivery of the notified individual’s credit history and credit score from each of the three major credit bureaus (Equifax, Experian and TransUnion);
  • Unlimited access by the notified individual to TransUnion credit report and credit score for up to 12 months;
  • Continuous, daily monitoring by TransUnion of all three credit reports with e-mail notification in the event of an address change, credit inquiry, new account opening, posting of negative credit information, etc.
  • Telephone access to counselors trained in the Fair Credit Reporting Act to reviewing the notified individual’s credit file.

C. Regulatory Defense and Penaltiesprovides protection for any regulatory proceeding brought against the policyholder because of an authorized disclosure, security breach or failure to disclose such acts in violation of a breach notice law. The protection includes both penalties, which might be assessed against the policyholder, as well as legal expenses to represent the policyholder before the appropriate authorities.

Limits of Liability and Retentions under the Cyber-Liability Endorsement

Limits and Retentions for Coverage A and C:

  • Limits are in excess of the retention.
  • Limits apply to and retentions satisfied by: damages, claims expenses and penalties.
  • Sub-limit for Coverage C is included in the Aggregate and is not in addition.
  • A = Information Security and Privacy Liability
  • C = Regulatory Defense and Penalties

Limits and Retentions for Coverage B:

  • Limits are in excess of the retention.
  • B1 = Costs for computer security expert; attorney fees.
  • B2 = Costs to notify individuals under breach notice law.

Higher Limits are Available

For policyholders who need higher limits, ISMIE Mutual and Beazley will partner and deliver. Higher limits will be subject to additional premium and underwriting by Beazley.

What should a policyholder do in the event of a claim under this endorsement?

If you experience (or believe you have experienced) a claim:

  • Unauthorized disclosure of patient health information and patient identifiers;
  • Failure of security to prevent a breach of your system;
  • Regulatory actions by the government arising out of either
    of the preceding.

Material posted on this website is for informational purposes only and does not constitute a legal opinion or medical advice. Contact your legal representative or medical professional for information specific to your legal or medical needs.

Get Started

Let Your Aspirations Set the Agenda

Grow with who you know. Reach out to us today and start the conversation, so you’re better protected and prepared for what comes next.

Talk to an Advisor

man looking left