WGA InsureBlog

On August 13, 2010, the front page of The Boston Globe reported that four Massachusetts hospitals are investigating how the unshredded health records of thousands of patients ended up at a public dump. At least some of the records contain sensitive medical information and Social Security numbers. The situation highlights the difficulties that organizations – and healthcare organizations in particular – face in protecting confidential patient or other personal information when many different people have access to such information in the normal performance of their duties. Read more…

On August 4, 2010, it was reported that officials in the town of Hingham, Massachusetts would be notifying approximately 1,300 individuals whose names and Social Security Numbers were mistakenly sent to about 30 town officials. Hingham officials indicated that they were notifying the state attorney general’s office and the Office of Consumer Affairs and Business Regulation of the breach in accordance with Massachusetts law.

A town official had emailed a document containing the personally identifiable information to about 30 department heads. When the official was notified that the document contained confidential personal information, he recalled the email, which had been sent to accounts maintained on the town’s protected server. The official said that about half of the emails had been successfully retrieved and destroyed before the recipients had opened them and seen the personal information. Read more…

Another front in the battle over Data Security and Privacy broke out this week when the United Arab Emirates (UAE) announced its intention to shut down mobile services over Blackberry smart phones made by Research in Motion (RIM). The UAE, concerned about security and looking for ways to intercept illegal and terrorist activity, threatened to shut down the popular email and text messaging services due to RIM’s practice of encrypting such communications. Other governments are seeking similar control and access over data.

Should RIM and other service providers agree to government access to data, however, they expose themselves to increased litigation from customers and third parties. Foreign government access to data may be misused for profit by rogue elements in governments. Data Security and Privacy insurers, in a nascent field, still have little way of quantifying such data risks. Nonetheless, insurance coverage for these types of risks to telecom and data providers is available with some limitations.

Health Net’s recent settlement with the Connecticut Attorney General shines a light on some of the noteworthy costs and risks of data breaches. It’s a sobering view.

In early July 2010, Health Net settled allegations by the Connecticut Attorney General that Health Net had violated its obligations under the HIPAA privacy and security rules. The settlement capped the first enforcement by a state Attorney General of HIPAA violations since such state enforcements were authorized by the Health Information Technology for Economic and Clinical Health (HITECH) Act. Read more…

Hospital officials announced yesterday that computer files from South Shore Hospital in Weymouth, MA containing personal information for 800,000 individuals (patients, employees, doctors, volunteers, donors, vendors and business partners) may have been lost when they were shipped to a contractor to be destroyed. The notice posted to their website provides careful readers with some insights into some of the potential financial and insurance coverage risks that even the most careful organizations can face in connection with the compromise of confidential information. Read more…

A recent news item highlights one of the most challenging and frustrating aspects for companies and organizations dealing with their privacy and data security obligations: their potential responsibility for the behavior of others. Lincoln Medical and Mental Health Center in New York City has posted a notice on its website explaining that several CDs containing patients’ protected health and personal information had apparently been lost in transit. One of the hospital’s vendors had shipped the CDs to the hospital via overnight courier, but they never arrived. According to the website, the CDs contained the following types of information: name, address, social security number, medical record number, patient number, health plan information, date of birth, dates of admission and discharge, diagnostic and procedural codes and descriptions, and possibly a driver’s license number. Read more…

In an age of ever-increasing dependence on electronic records and cyber-security, it should come as little surprise that there is a steady diet of new examples of data breaches and the loss of private data. This is especially true in the case of healthcare institutions and providers. Read more…

Legislation on both the federal and state levels, has many of corporate insurance buyers feeling anxious about security and privacy. This installment of “Ask the Experts” takes a look at the coverages available and questions to ask when analyzing these coverages.

The Health Information Technology for Economic and Clinical Health Act (known as the “HITECH” Act), enacted as part of the American Recovery and Reinvestment Act of 2009, substantial expands the HIPAA privacy and security rules. A recent survey conducted with the readers of Modern Healthcare found that privacy is a big concern with several key changes in healthcare information privacy laws of the act. This installment of “Ask the Experts” takes a look at risk management issues regarding this issue within healthcare operations.

The Ponemon Institute recently released its 2009 data breach figures. The average cost per customer record lost is up to $204, $2 higher than 2008, and the average total cost per company is now $6.75 million.  The sample size is relatively small – 45 companies.

It should be noted that many costs associated with a breach (i.e. notification costs, credit monitoring, investigative costs, etc.) are subject to sublimits under most, if not all, Privacy Liability policies.  The sublimit is typically equal to 10% to 20% of the limit of liability ($100,000 on a $1MM policy).  This is not much Read more…