In a word, yes. Many chiropractors significantly underestimate how much a breach will cost, and think they can self-insure it. Outlining what will happen in the event of a breach is very useful when understanding the value of cyber liability coverage. Below are a variety of claims scenarios that help illustrate the severity of cyber claims, and how widespread cyber breach activities are throughout the healthcare industry.
Scenario 1
Employees of a large chiropractic group discovered that their email accounts were not accessible. The group’s IT department investigated and discovered that a ransomware attack infected 10 servers and 50 workstations. The group had to close operations for two business days and suffered losses in relation to the event.
Cyber insurance covered a total of $83,050, as follows:
- IT Expenses: $59,571 – Consultants were retained to immediately address the ransomware attack, secure data, investigate if any patient health information was compromised, and rebuild the group’s network.
- Business Interruption Expenses: $9,286 – Several appointments had to be cancelled, and could not be rescheduled, resulting in loss of income.
- Data Recovery: $10,857 – Numerous employees had to work overtime to recreate lost data from back-ups.
- Ransom Amount: $3,336 – The group paid the ransom demand to regain system access.
Scenario 2
A provider of in-home chiropractic care was investigated by the Office for Civil Rights (OCR) after receiving a complaint that one of the provider’s employees left behind documents containing the protected health information of 278 patients after moving residences. Evidence supported this complaint. The OCR found that the provider was significantly lacking adequate policies and procedures in place to address the safeguarding of patient information when taken offsite. As a result, the provider was ordered to pay $239,800 in civil money penalties imposed by OCR.
Scenario 3
A mid-size chiropractic group’s network of computers was infected with ransomware, potentially compromising patient data. The group did not pay the ransom and instead focused its efforts on reconfiguring the computer system and restoring the data from backups. Under state privacy laws, the group was required to notify almost 10,000 patients about the breach. Cyber insurance covered the group’s breach notification costs, which totaled approximately $27,500.
Scenario 4
The personal data of over 2,000 credit and debit cardholders was exposed when a chiropractic group with multiple locations learned that 10 of its card readers had been compromised by a rogue employee. Across several of the group’s locations, the readers had been manipulated and credit card data had been “skimmed” to sell on the black market. The group’s bank investigated and found that the group failed to maintain data security controls required under the Payment Card Industry Data Security Standard (PCI DSS). The bank imposed fines and assessment against the group for PCI DSS non-compliance.
If you have any concerns about your cyber coverage and want to know more about what we offer, fill out our online form to get a no-obligation quote.
Please note: These risk/claim scenarios are provided here for illustrative purposes only. The scenarios are examples of the types of claims and associated costs commonly seen and do not represent a comprehensive explanation of any one particular claim. While the subject coverage is designed to address certain risks and associated costs, coverage may not be available in all circumstances. Each reported claim will be evaluated on a case-by-case basis. The actual policy or endorsement language should be referenced to determine coverage applicability and availability.
“OUM” and “OUM Chiropractor Program” do not refer to a legal entity or insurance company but to a program or symbol of a program underwritten, insured, and administered by ProAssurance Insurance Company of America. The information contained on the OUM Chiropractor Blog does not establish a standard of care, nor does it constitute legal advice. The information is for general informational purposes only. We encourage all blog visitors to consult with their personal attorneys for legal advice, as specific legal requirements may vary from state to state. Links or references to organizations, websites, or other information is for reference use only and do not constitute the rendering of legal, financial, or other professional advice or recommendations. In the event any of the information presented conflicts with the terms and conditions of any policy of insurance offered by ProAssurance Insurance Company of America, the terms and conditions of the actual policy will apply. All information contained on the blog is subject to change.