with No Comments

The health care industry has been subject to some of the largest cyber attacks known to the public. Unfortunately, due to the value and sensitive nature of the personally identifiable information (PII) processed and stored within the industry, it continues to be one of the most frequently targeted industries for cybercrime.

In July, 2018, the detailed medical history and contact information of thousands of home-care patients and employees, of an Ontario health care provider, were allegedly held ransom by cyber criminals. In this case, the hackers requested compensation in exchange for the stolen information.

When a data breach occurs, there are many costs that your company may have to consider such as, hiring forensic experts, privacy regulation fines, business interruption expenses, credit and identity monitoring for the breach victims, and defense costs, to name a few. Based on a study by the Ponemon Institute, “the average cost of a data breach per compromised record was $148” and is continuing to climb each year.

Sadly, it has been confirmed that 60% of small businesses that suffer from a cyber attack go out of business within 6 months.

Cyber Insurance Coverage for Heathcare Companies

The following are a few coverage options that a cyber insurance policy can provide:

Extortion Costs
In the scenario above, with Network Extortion coverage, the insurance company would be able to step in to pay the ransom the hackers required, in attempts to regain the lost information.

Notification Costs
As of November 1, 2018, Personal Information Protection and Electronic Documents Act (PIPEDA) changed their privacy laws so, if you have a breach, and it poses a real risk of significant harm, you must notify all individuals that are affected.

Regulatory Fines and Penalties
Ontario’s Personal Health Information Protection Act (PHIPA) and PIPEDA enforce strict regulations regarding patient privacy. Violations through PHIPA can result in fines up to $500,000 where, failure to comply with any aspect of PIPEDA’s mandatory data breach reporting and notification requirements can result in a fine of up to $100,000 per violation.