A laptop with unencrypted data containing patient files was stolen from a doctor’s unattended vehicle. Stored on the laptop’s hard drive are the practice’s network passwords and the electronically stored Protected Health Information (ePHI) of 600 patients, including names of the patients and their physicians, dates of birth, addresses, insurance information, social security numbers, and the health services provided.
The thief was able to access the confidential patient information and network passwords, which he subsequently used to introduce a hidden, malicious computer virus into the practice’s network server. The virus corrupts other data and computer programs, shutting the practice’s computer system down for four days until a computer forensic expert was able to repair the network. In the interim, staff was asked to work overtime to try to reconstruct and restore information that had not been backed up.
This is just one example of many elusive ways in which a practice can suffer a reduction or complete interruption of revenue, as well as incur unusual/extra expenses to stay in business, because of direct or indirect loss to insured computer property. And the law of unintended consequences can often create events that will lengthen an interruption.
Fortunately, the practice had purchased cyber liability insurance that included coverage for their loss of net profit and continuing expenses, as well as extra expense coverage for damage to their digital assets (i.e., electronic data and computer programs). In this case—the malicious code—which resulted in a covered interruption loss.
However; it can be difficult to estimate the indirect costs of lost productivity and reputation, as well as the actual expenses required to repair or replace damaged cyber property. For example, put yourself in this practice’s position and consider the following questions if your electronic data was destroyed or corrupted:
- Would an unexpected loss to your computer data and programs force your practice to close its doors, and how long would it take to rebuild your database?
- What will your most valued employees do? (Employee: “I wonder if my employer will even try to stay in business now? Perhaps one of our competitors will hire me.”)
- What will some of your patients do; that is, will you suffer some reputation damage? (Patient: “I think I need to look for another physician, since obviously my doctor doesn’t have good privacy and security practices in place.”)
- What will my competitor(s) do? (Competitor: “That’s a tough break; I’m glad it’s not my problem. Perhaps some of their patients will come to us and once we can show them our patient services, we can hold onto them.”)
The costs of a cyber crime and the resulting lost income due to computer downtime or as a result of a data breach can be substantial. In fact, the expenses incurred to help the practice continue operations in some cases can be greater than the revenue lost from the interruption. Regardless of the cause, a business interruption loss reduces revenue and/or increases expenses, both of which decrease net income.
When an insured’s practice is interrupted, either partially or totally, by a “covered cause of loss” to its digital assets, TMLT’s cyber liability coverage (endorsed to all TMLT policies) will pay the loss of income they would have expected to earn had no interruption occurred, plus all continuing expenses and extra expenses to continue operations and to avoid or minimize the suspension of business. The covered causes of loss include:
- accidental damage or destruction;
- administrative or operational mistakes, and
- computer crime and computer attacks.
This coverage also includes expenses such as employee salaries and needed utilities and ongoing mortgage/rental payments, and any extra expenses incurred to expedite the replacement of or to restore data and programs, to rent/lease external equipment, for overtime pay to replace, recreate or restore digital assets, and the costs to subcontract computer work to others.
Financial/revenue loss due to reputational harm resulting from an adverse media report or patient notification of a data breach is not covered unless separate coverage is purchased or endorsed for such business continuity.
Many medical practice owners believe they are not vulnerable to cyber crimes, believing only larger providers and organizations are targeted because they have huge amounts of data. But cyber thugs go after both large and small organizations.
Therefore, if you haven’t purchased or don’t have suitable cyber liability insurance and you do suffer a significant loss, recovery may come too late.
About the Author
John Southrey is the Director of Cyber Consulting Services at TMLT. John can be reached at email@example.com.More Content by John Southrey