Discussed Friday at the Hunton Privacy and Information Security Blog, the US Department of Health and Human Services has imposed an unauthorized $ 3.2 million fine on the Children's Medical Center of Dallas due to HIPPA-protected breach information. The violations were alleged to have arisen in 2009 (when an employee lost an unencrypted Blackberry containing electronically protected health information (ePHI) for 3,800 individuals); 2010 (when a hospital staff lost an "iPod device" synchronized to a hospital email account, ePHI compromises at least 22 people); and 2013 (when an unencrypted laptop, containing ePHI for 2,462 individuals, was stolen from the hospital). The government's investigation apparently led to the child hospital recognizing additional theft of ePHI-containing devices in 2008 and 2009.
These claims, along with other items raised in HHS correspondence to the hospital, underline common obstacles to insurance policies that policyholders can face when seeks compensation for state fines for ePHI-related losses:
- Tires for regulatory fines. The scope of regular fines is now a common part of the cyber insurance portfolios. however, some policies still contain obsolete or unreasonably wide-ranging exclusion that should be negotiated by implicit policy.
- Exclusion of unencrypted devices. Many insurers require encryption, period. In fact, inability to ensure complete encryption can stop coverage negotiations in the tracks. Other policies require encryption, implicitly, by the use of exclusions that exclude coverage for claims against non-encrypted data breaches that can be modified or eliminated before policy placement under the right circumstances.
- The former exclusion of knowledge. Insurance policies exclude claims arising from situations that the insured would reasonably have foreseen to occur. In conjunction with this, insurers have been known to rely on incorrect, incomplete or omitted responses to insurance application issues for past loss and current security measures to cancel coverage.
Here, HHS reported that children had been notified in 2007 and 2008 by independent threat analysis companies as encryption was necessary to protect their units, but failed to implement encryption on all units until April 201
These are just some of the common obstacles to cover when faced with a penalty fine. Using experienced coverage boards can help insured to minimize the effects of these barriers and otherwise fill gaps in coverage, even when a loss history is less than the star. Hopefully, the children's good policies and the right broker-external advisors are in place so that it will not be lost for the loss.