Data breach insurance goes mainstream in health care

A growing number of breaches and highly publicized fines has resulted in smaller medical practices looking for protection.

By — Posted Aug. 19, 2013

Print  |   Email  |   Respond  |   Reprints  |   Like Facebook  |   Share Twitter  |   Tweet Linkedin

Many companies, including those in health care, consider cyber security threats to be as big as — or bigger than — the threat of a natural disaster or fire. Just as those organizations carry insurance for the relatively small chance that a tornado or fire destroys their businesses, many now are looking at policies that will cover the potentially devastating impact of a data breach.

The number of people affected by breaches in the U.S. continues to climb each year. For health care organizations, the threat of being slapped with a large fine for violating terms of the Health Insurance Portability and Accountability Act also has increased. The Dept. of Health and Human Services' Office for Civil Rights has made clear that no practice is too small to be fined. A new study from Experian and the Ponemon Institute finds that the majority of companies across several sectors, including health care, are turning to cyber or data breach insurance to mitigate the financial risks of a breach.

The study found that 31% of companies have cyber insurance, and 39% plan to buy it. In health care specifically, 32% have it and 41% are interested, said Michael Bruemmer, vice president of Experian Data Breach Resolution.

There are no historical data to show actual growth, but industry insiders say there is plenty of anecdotal evidence to show a definite increase in interest from health care organizations. Bruemmer said the interest started about two years ago with mid- to large-sized organizations such as hospitals and health care systems. In the past six to nine months, he has seen a shift toward smaller practices expressing interest in the coverage. Although some physicians are having a hard time seeing the cost benefit of having the insurance, those that have had to use it say it was worth it.

The Experian-Ponemon report found that of the health care organizations surveyed for the study, 77% said cyber risk insurance was important. Of those that made a claim against a breach event, 97% said the experience was good or excellent.



As more health care organizations become victims of breaches, awareness and interest in data breach insurance have grown, said Holly Moriarty, small commercial business marketing director for outpatient health care at the Hartford, an insurance company based in Connecticut that sells breach coverage.

NetDiligence, a cyber security firm that conducts risk assessments and data breach services, published a white paper in October 2012 in which it analyzed 137 events reported to breach insurance underwriters between 2009 and 2011. Health care and financial services topped the list as the most frequently breached sectors. The report said the average cost per breach was $3.7 million, the majority of which was legal damages. This figure was lower than the figure calculated by the Ponemon Institute, a data privacy and security researcher in Traverse City, Mich. Its May report, “2013 Cost of Data Breach Study: Global Analysis,” put the average cost per breach in the U.S. in 2012 at more than $5.4 million, or $188 per breached record.

Cost-benefit of insurance

Although a breach at a small physician practice probably won't cost that practice anywhere near $5 million, it could easily run into the hundreds of thousands of dollars — enough to cripple a practice running week to week financially.

Chris Apgar is CEO of Apgar & Associates, a privacy and security consulting firm. He recently conducted a risk analysis for a nine-doctor physician practice showing that the cost of notification alone in the event of a breach would be more than $100,000. Under HIPAA, a practice with a data breach affecting 500 or more people is required to notify patients, local media and the secretary of the Dept. of Health and Human Services. “It can get very, very expensive,” he said.

32% of health care organizations have cyber insurance against data breaches.

When Howard Bergstein, an insurance agent from Maywood, N.J., decided to offer data breach insurance to medical offices 2 years ago, he thought it would be an easy sell. He was selling stand-alone policies for $2,500 a year that covered everything from the cost of notification to the price of a public relations firm to help protect the reputation of the practice. The policies also covered third-party claims for practices that find themselves the target of a lawsuit as the result of a breach.

Bergstein spoke at several physician-led conferences, visited numerous practices and spent several hours marketing the policies. Everywhere he went, he got good feedback from physicians who thought the plans were a great idea. But after nine months, he couldn't get one of them actually to buy the coverage.

He said the practices were overwhelmed with installing electronic health record systems, complying with the meaningful use incentive program and following new regulations from the Health Information Technology for Economic and Clinical Health Act of 2009, which includes regulations relating to data security. Even at $2,500 a year, it was money the physicians were unwilling to shell out because of other obligations, Bergstein said.

Mark Greisiger, president of NetDiligence, said he has heard the same arguments about the price of coverage. His response is to refer back to the analysis of claims that have been made and the average claims that are being paid out. “Those costs aren't trivial,” he said. Greisiger also shares with clients research showing how often a practice's peer practices are having security issues.

Moriarty said that as more breaches are publicized, along with the amount of fines against those companies that experienced a breach, more practices are electing to get coverage.

If doctors still are not convinced a practice should invest in the insurance, physicians should look deeper at their existing coverage, Apgar advised. Doctors should check into what a practice's liability insurance covers. There also might be protections built into an individual physician's coverage, he said.

“A lot of times malpractice insurance is heavy on risk protection, and risk can be defined pretty broadly,” he said.

Making data more secure

Many health care organizations that have gone into the market for breach insurance did so because they already had experienced a breach. Bruemmer said getting insurance has made many feel more secure not just because of the coverage but also because of the issues they were forced to think about as part of the application process.

Breach insurance contracts ask about certain controls the practice has in place, as well as access and workflow issues that affect data privacy and security, Moriarty said. There also are issues such as employee background checks and limited employee access that practices must have to even qualify for coverage, she added. Practices are required under federal law to have a breach protection plan, though an insurer might ask for more precautionary preparation.

“Just by asking those types of questions, it starts to trigger a lot of thoughts like, 'OK, these are things I haven't considered or things I don't have in place today but should have in place,' ” she said.

When shopping for a policy, Apgar said, a practice should look not only for what the policy covers but also for what it doesn't cover. Policies can be either stand-alone or an addendum or endorsement to an existing business owner's policy. Smaller organizations tend to go with endorsements, he said. Policies should cover the cost of notification to victims, forensic investigations, regulatory fines and penalties, legal costs, and damages.

The market is still maturing and growing, and policies have grown broader in their coverage in recent years. There also has been a growing number of insurance carriers that offer it. “It's still a growing market out there, but it's come a ways in the last couple of years,” Apgar said.

Back to top


Why companies are not purchasing cyber insurance

A multi-industry survey that included health care organizations on attitudes about cyber insurance found that 31% of companies have coverage. Of those that don't, 57% plan to buy it in the future. Forty-three percent have no plans to purchase insurance and gave varying reasons why.

Reason for not buying coverage Percentage
Premiums too expensive 52%
Too many exclusions, restrictions and uninsurable risks 44%
Property and casualty policies are sufficient 38%
Unable to get insurance underwritten because of current risk profile 26%
Coverage is inadequate based on exposure 26%
Risk does not warrant insurance 9%
Executive management does not see the value 5%

Note: Percentages do not add up to 100% because respondents could choose up to two responses.

Source: Infographic with highlights of “Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age,” Experian Data Breach Resolution and Ponemon Institute, August. A link to the full report is available (requires registration) (link)

Back to top

What cyber insurance covers

Cyber insurance policies can carry a variety of benefits. Experts say medical organizations should have policies that include, at minimum, coverage of notification costs, forensic investigation costs, legal defense costs, penalty and fine coverage and third-party liability. Experian Data Breach Resolution and the Ponemon Institute surveyed policyholders and asked what protections or benefits their policies included.

Protection/benefit Percentage of policies
Notification cost to data breach victims 86%
Legal defense costs 73%
Forensic and investigative costs 64%
Replacement of lost or damaged equipment 48%
Regulatory penalties and fines 46%
Revenue losses 34%
Third-party liability 30%
Communication costs to regulators 30%
Employee productivity losses 11%
Brand damage 8%
Other 2%

Note: Responses do not add up to 100% because respondents could choose all responses that applied.

Source: Infographic with highlights of “Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age,” Experian Data Breach Resolution and the Ponemon Institute, August. A link to the full report is available (requires registration) (link)

Back to top



Read story

Confronting bias against obese patients

Medical educators are starting to raise awareness about how weight-related stigma can impair patient-physician communication and the treatment of obesity. Read story

Read story


American Medical News is ceasing publication after 55 years of serving physicians by keeping them informed of their rapidly changing profession. Read story

Read story

Policing medical practice employees after work

Doctors can try to regulate staff actions outside the office, but they must watch what they try to stamp out and how they do it. Read story

Read story

Diabetes prevention: Set on a course for lifestyle change

The YMCA's evidence-based program is helping prediabetic patients eat right, get active and lose weight. Read story

Read story

Medicaid's muddled preventive care picture

The health system reform law promises no-cost coverage of a lengthy list of screenings and other prevention services, but some beneficiaries still might miss out. Read story

Read story

How to get tax breaks for your medical practice

Federal, state and local governments offer doctors incentives because practices are recognized as economic engines. But physicians must know how and where to find them. Read story

Read story

Advance pay ACOs: A down payment on Medicare's future

Accountable care organizations that pay doctors up-front bring practice improvements, but it's unclear yet if program actuaries will see a return on investment. Read story

Read story

Physician liability: Your team, your legal risk

When health care team members drop the ball, it's often doctors who end up in court. How can physicians improve such care and avoid risks? Read story

  • Stay informed
  • Twitter
  • Facebook
  • RSS
  • LinkedIn