HIPAA Privacy Breach and the Cyber Security Insurance


The survey by Protiviti and North Carolina State University (Top 10 CFO Risks for 2017, www.cfo.com) lists Cyber threats as the # 3 among the top 10 Risk issues for 2017. Why? Because of all the breach and cyber security threats against the industry and the individuals.

Let’s say your organization has a privacy breach, and your response management gets into the action – Address list management, mail and email notifications, contact center services and audit documentation. The organization notifies the insurance company and the risk is only partially covered. What do you do?

There are three phases to a breach:

  1. Breach Triage (analysis and response to the breach),
  2. Impact of the breach (reactive efforts to the breach and the response to the damages) and
  3. Recovering from the breach (repairing the damage and recovering from the breach).

These phases have the direct costs (Investigation, Cybersecurity improvements, Post breach patient notification, Public relations and Attorney fees). The Indirect costs are Value of patient relationships, Insurance premium increase, loss of organization reputation and costs to replace the lost revenue.

Per IBM research (2016 Benchmark research sponsored by IBM, and conducted by Ponemon Institute Research Report), the average cost of data breach in 2015 is $ 7million and per capita costs is $ 401/record. How much is your cybersecurity policy coverage for? How long will it take to get the claim resolved? What direct and/or indirect costs are you covered for?

Like all the provider organization(s), the cyber security insurance is obtained from a broker. The broker sits down with the CFO, and hands out an Application Form for Security and Privacy coverage. The form is a checklist with 15 or more questions. The typical questions are:

  • Do you have a written procedure with respect to security?
  • How often are virus definitions updated and disseminated?
  • Do all external communications pass through a firewall?
  • Is the organization subject to the following – HIPAA/HITECH, PCI, Gramm Leach and are you in compliance?

The answers are a Yes/No box and on the compliance question the organization is going to respond Yes, because there is no regulatory authority to certify the firm as compliant or non-compliant.


The insurance companies perform the due diligence and process the application. Does the coverage cover the Direct and Indirect costs? The Breach Triage costs? Impact costs? and the post breach recovery costs?

“The role of the Insurance market is shrouded in clouds”, says Dominic Casserley, the President and Deputy Chief executive officer of Willis Towers Watson (www.cfo.com/Quantifying Cyber Risks by David Katz). Many provider(s) transfer risk by buying cyber exposure policies.

Having insurance does not transfer all the risks. The provider organization(s) needs to do due diligence on their part, i.e.

  • Have policies and procedures in place
  • Perform a gap analysis
  • Monitor in-house security and privacy and perform an self-audit
  • Perform a loss control assessment (to have the losses mitigated).

Having done home-work, and comparing exposure against the insurance coverage will shed light for an organization as to their claims if a breach happens. When purchasing a policy or a cyber plan from the insurance companies, the providers need to focus on the plan that meet their own practice needs, rather than buying products from a jigsaw puzzle that overlaps and excludes certain areas.

As former President Mr. Benjamin Franklin said “An ounce of prevention is worth a pound of cure.”

At MindLeaf (www.mindleaf.com) we have been protecting patient privacy by ensuring the providers have the right procedures, policies and deploying Tool on a SAAS basis to monitor privacy. By deploying SAAS tool, organizations can benefit from lower costs –IT, resources and it complements the CFO/Compliance officer by being compliant.

Recently MindLeaf published an ebook on the subject HIPAA Privacy Monitoring eBook.

 New Call-to-action





Paresh K. Shah

Labels: HIPAA Privacy