Hospital data breach shows vulnerabilities in data protection and insurance
Hospital officials announced yesterday that computer files from South Shore Hospital in Weymouth, MA containing personal information for 800,000 individuals (patients, employees, doctors, volunteers, donors, vendors and business partners) may have been lost when they were shipped to a contractor to be destroyed. The notice posted to their website provides careful readers with some insights into some of the potential financial and insurance coverage risks that even the most careful organizations can face in connection with the compromise of confidential information.
The information lost was back-up computer files that contain confidential personal and financial information obtained over 14 years. The hospital had hired a “professional data management company” to destroy back-up computer files that were in a format that the hospital no longer uses. [What due diligence had the hospital performed on the data management company and its data security practices? Did the data management company sign a business associate agreement pursuant to the HITECH Act? Did the hospital obtain indemnification rights from the data management company? Did the data management company have an E&O insurance policy with well-negotiated data security coverage? Would the hospital’s provision of personally identifiable information to the data management company pass muster under the Massachusetts Data Security Regulations? If the hospital has data security insurance, would a breach of the Massachusetts Data Security Regulations be covered (many policies do not currently provide such coverage)?]
The files had been shipped for off-site destruction. [Shipped by what means? As described on WGA InsureBlog in an earlier entry, Lincoln Medical and Mental Health Center in New York suffered a data breach when a vendor shipped CD’s containing protected health information via overnight courier — and the CD’s did not arrive. Many people think that the only risk to data in transit occurs when the data is being transferred electronically, but these events highlight how non-electronic data transfers can be treacherous as well.]
While the records have been lost, the hospital indicated that there was no evidence that the records had been seen by anyone. The hospital investigated the loss, searching for the files with the data management company and the shipper, working to determine the nature and extent of the information contained in the lost files, and assessing the likelihood that someone could access the files. [The costs of forensic investigations into the causes and extent of data breaches can be frightfully expensive, easily reaching hundreds of thousands of dollars. Simply ascertaining which records have been compromised can be extremely difficult. Many insurance policies severely limit coverage for forensic expenses.]
The hospital notified the federal Department of Health and Human Services, the Massachusetts Department of Health and the Massachusetts Attorney General of the breach [incurring legal fees]. The hospital’s website had a sample notification leffer for affected individuals. The sample letter, which the hospital said could change, has a toll-free number and offered free credit reports (not credit monitoring services) to affected individuals. [Some data security insurance policies would cover credit monitoring services in these circumstances, others would not.] The website does not indicate whether any of the contacted federal or state agencies have decided to investigate the matter. [Some data security insurance policies may cover regulatory fines and penalties, others would not.] The hospital stated that credit card information about a small number of individuals may have been contained in the lost records. [Most data security insurance policy forms do not provide coverage for assessments imposed by credit card brands.]
[And of course, most issuers of CGL policies would decline to cover any of the out-of-pocket forensic, notification or credit monitoring costs described above. Generally, only specialized privacy/data security policies can be crafted to cover these expenses.]
Events such as this illustrates why it is so common for organizations to spend millions of dollars dealing with breaches of data and network security — even if their own IT systems are strong.