Search
Close this search box.

As Healthcare Industry Evolves, Michigan’s Largest System Reports Second Breach in 12 Months

medical-records_20200806-890x380-1-890x269

As Healthcare Industry Evolves, Michigan’s Largest System Reports Second Breach in 12 Months

Michigan’s largest healthcare system recently announced a data breach that may have compromised 6,000 patients’ protected health information. The breach reportedly occurred after six employee email accounts were exposed in a phishing scam in January.

The eight-hospital network with 167 outpatient locations, notified patients on July 28 of a “data security incident” that could have exposed patient names, dates of birth, diagnoses, procedures and treatment information. The health system reports the number of patients involved in the breach reflect less than 0.3 percent of its 2.3 million patients.

“Healthcare systems are experiencing a severe increase in data breaches in today’s world. Breaches are growing in size as additional patient records are being exposed in attacks.”–Derek Kilmer, Burns & Wilcox

The health system concluded its investigation on June 3. Though officials said they have no evidence compromised data was viewed or acquired by a third party, it notified patients “out of an abundance of caution” and asked them to monitor their insurance statements for care they did not receive.

Michigan’s largest healthcare system recently announced a data breach that may have compromised 6,000 patients’ protected health information. The breach reportedly occurred after six employee email accounts were exposed in a phishing scam in January.The eight-hospital network with 167 outpatient locations, notified patients on July 28 of a “data security incident” that could have exposed patient names, dates of birth, diagnoses, procedures and treatment information. The health system reports the number of patients involved in the breach reflect less than 0.3 percent of its 2.3 million patients.

This breach marks the healthcare system’s second such incident within the last 12 months. In April the network reported a phishing scam involving 112,000 patients’ information.

“Healthcare systems are experiencing a severe increase in data breaches in today’s world,” said Derek Kilmer, Manager, Professional Liability, Burns & Wilcox, Detroit/Farmington Hills, Michigan. “Breaches are growing in size as additional patient records are being exposed in attacks.”

That increase comes as healthcare organizations also face unprecedented difficulties in other areas. Hospitals have struggled financially amid the COVID-19 pandemic, with some losing millions of dollars per day from delayed elective procedures and many laying off staff.

The current landscape has heightened awareness of the need for Cyber and Privacy Liability Insurance, Professional Liability Insurance and other protections.

“The lack of elective procedures has created a deep hole to dig out of,” said Karl Olson, Vice President, Professional and Management Liability Practice Leader, Skyscraper Insurance, “Utilization rates have plummeted. A large percentage of hospitals may be financially insolvent by the end of the year.

Healthcare breaches are uniquely expensive, require specialized protection

Healthcare data breaches are on the rise in both the U.S. and Canada, with ransomware attacks and phishing scams causing a significant percentage of breaches. “Cybercriminals have not taken a break,” Olson said. “Healthcare entities are targets because of the large volume of data that they store, process or have access to. Many also struggle to adequately fund their data security.”

The number of healthcare data breaches involving 500 or more records increased 196 percent from 2018 to 2019, according to HIPAA Journal. In February alone, 1,531,855 individual health care records were breached.

While the average total cost of a data breach has increased from $3.54 million in 2006 to $8.9 million in 2019, the average cost of a breach for healthcare organizations can run much higher. A data breach cost per record in many industry sectors is less than $300 per compromised record, Kilmer explained, but heavily regulated industries, such as healthcare, pharmaceutical, financial, energy, and education, have a per capita data breach cost of well over $400.“Costs can add up quickly, especially if each incident impacts thousands or potentially millions of records,” he said, noting that the number of data points contained in a single patient’s record adds to the complexity of recovering from an attack. “Healthcare records can include Social Security numbers, name, address, phone numbers, and more. The information a hacker can exploit within an individual’s health record is potentially quite large and can take an immense amount of time to track down, leading to additional expenses.”

As more breaches occur, particularly during the pandemic, healthcare organizations rely on Cyber and Privacy Liability Insurance to help mitigate their losses and maintain operations. Cyber and Privacy Liability Insurance policies can include coverage for paying or negotiating ransoms, such as in 2016 when a California hospital paid hackers $17,000 after a ransomware attack that held its computer network hostage. Such policies can also help mitigate the costs of bringing in specialized cybersecurity attorneys and forensic teams to assist in the response.

According to the 2019 American Medical Association-Accenture Medical Cybersecurity Survey, 36 percent of healthcare institutions were rendered incapable of providing care for at least five hours following cyberattacks. The 2020 IBM Security Cost of a Data Breach report indicated that the healthcare industry had the longest average breach lifecycle of any industry—329 days.

“It can take years for medical fraud to be discovered,” Kilmer said. “Healthcare organizations should have a plan in place that allows them to get up and running as quickly as possible after an attack with the lowest possible number of patient files exposed.”

Beyond the direct costs of a cyberattack, the bulk of data breach expenses are related to reputational damage and customer turnover in the aftermath of an incident, according to Kilmer. “Healthcare breaches continue to push customers away,” he added. “Given the current financial hardships hospitals are having due to absence of elective surgeries, a breach can set back these institutions even further.”

When an organization is hit multiple times it can have a negative impact on its insurance underwriting options, Olson noted, adding that “underwriters are asking for much more in-depth information than they have in years’ past.”

Telemedicine, equipment shortages among other growing healthcare liabilities

Even as medical professionals stand on the front lines of the COVID-19 pandemic, hundreds of U.S. hospitals face bankruptcy and some, especially in rural areas, may close. Hospitals laid off 1.4 million workers in April alone and a record number of nurses have lost their jobs. These conditions could add to already rising medical liability costs at a time when 34 percent of physicians are sued at some point in their careers. Beyond cybersecurity risks, healthcare entities expect a wave of lawsuits related to the pandemic as well as the corresponding rise in telemedicine. While some providers may think they have coverage under certain liability protections, Professional Liability Insurance and Medical Malpractice Insurance are essential for all healthcare organizations, Kilmer said.

“It can take years for medical fraud to be discovered. Healthcare organizations should have a plan in place that allows them to get up and running as quickly as possible after an attack with the lowest possible number of patient files exposed.” –Kilmer

“The healthcare industry is evolving rapidly,” he said. “There is going to be a continued need for telemedicine, which brings additional cybersecurity concerns.” He added that Professional Liability Insurance for healthcare organizations needs to account for changes in technology, especially if the organization is providing telehealth.

For employers in the healthcare industry, potential lawsuits over personal protective equipment (PPE) shortages, layoff procedures or overall handling of the pandemic make Healthcare Management Liability Insurance — including Employment Practices Liability Insurance (EPLI) and Directors & Officers (D&O) Insurance — a key priority.

EditCurrently selected link settingsOpen in new tab

“There is expected to be no shortage of employment practices liability lawsuits related to COVID-19,” Olson said. While an organization may be forced to reduce its workforce, he said, it can benefit from providing proper guidance and being transparent.

Addressing allegations of fraud or abuse related to Medicare and Medicaid billing and its management are other significant risks facing healthcare systems. Medical Liability Insurance that includes coverage for regulatory audits and investigations is recommended to help mitigate the costs involved with such disputes. “It is an elective coverage that is becoming more relevant than ever,” said Olson.

Security protocols, insurance are crucial to healthcare risk management

Healthcare organizations can strengthen their cybersecurity by using proper data architecture, Olson said. For example, a nurse signing in at a station should not have access to the entirety of a patient database. In addition, employees should be trained on properly securing records and how to recognize phishing attempts. “Employee education is paramount for identifying nefarious activities,” he said.

“While a healthcare organization can never be completely protected, the more that an employee knows what to look out for, the more they can safeguard patients’ privacy and potentially save the organization from a breach,” Kilmer added.

Smaller healthcare companies are particularly vulnerable to cyberattacks and, without Cyber and Privacy Liability Insurance, may not be able to cover the cost of a proper response. “There are limited resources in the healthcare sector for cybersecurity,” Kilmer said. “A small healthcare organization may struggle to protect their network because of a lack of safeguards and funding for cybersecurity.”

Cyber and Privacy Liability Insurance, Medical Malpractice Insurance and other Professional and Medical Liability Insurance policies should be customized to each organization’s particular needs. “Make sure that you are consulting a trusted source about coverage options,” Kilmer noted. “Work with a broker who can address limits based on your organization’s size, revenue and protected health information.”

As the healthcare insurance marketplace hardens, the renewal process for all insurance types should be started early due to greater underwriting scrutiny, longer turnaround time on applications and requests for COVID-specific supplements. “There is still a reasonable method for renewals and insuring new healthcare businesses or new business activities,” Olson emphasized. “It just takes someone with experience to know the appropriate markets and how to present the new risk.”

As the healthcare industry continues to change, risk management is critical. The current pandemic is likely not the last of these situations we experience. “Healthcare organizations need to make sure they are protected on all fronts, especially when economic realities make it unlikely that they could absorb the costs of the evolving risks they face,” Kilmer said.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related posts

Risk Management

Mitigating Financial Losses During Hurricane Season: A Skyscraper Insurance Guide

As hurricane season approaches, businesses must take proactive steps to safeguard against financial losses. At Skyscraper Insurance, we understand the unique challenges companies face in times of disaster, and we’re committed to helping our clients navigate them successfully. Here’s how your business can mitigate financial risks with the right strategies and support. 1. Diversifying Income Streams for Resilience A diversified revenue model is crucial to withstanding the disruptions caused by hurricanes. Skyscraper Insurance works with businesses to evaluate new opportunities—whether it’s launching an online platform, expanding services, or entering new markets. This ensures that if one revenue stream is impacted, others can sustain the business. 2. Comprehensive Insurance Coverage The first line of defense is making sure your insurance policies are up to date and cover potential hurricane-related damages. Skyscraper Insurance specializes in providing tailored insurance solutions, including business interruption coverage, property damage, and flood insurance, to protect our clients against catastrophic financial losses. 3. Creating a Contingency Plan with Experts In partnership with Skyscraper Insurance, businesses can develop disaster contingency plans that ensure operations continue smoothly, even in the face of supply chain delays or power outages. We help you establish backup solutions, such as alternate suppliers or inventory management systems, minimizing financial fallout. 4. Maintaining a Recovery Fund Skyscraper Insurance advises its clients to maintain a recovery fund, ensuring fast access to resources for repairs, inventory restocking, and other unforeseen costs. This proactive approach enables businesses to get back on their feet quickly without waiting for loans or insurance claims to process. 5. Leveraging Government Aid and Local Resources In the aftermath of a hurricane, government aid can be crucial for businesses. We assist our clients in navigating grants, low-interest loans, and tax breaks available through local and federal disaster relief programs, ensuring that financial recovery is swift. 6. Risk Management Strategies At Skyscraper Insurance, we provide businesses with customized risk management strategies designed to reduce vulnerabilities and protect financial stability. From evaluating potential hazards to implementing risk-transfer solutions, we help you mitigate loss before a disaster strikes. 7. Ensuring Proper Documentation for Claims Keeping detailed financial records is essential for filing accurate and timely insurance claims. We help clients organize and maintain critical documents that streamline the claims process, ensuring a quicker recovery period. Skyscraper Insurance: Your Partner in Resilience While hurricanes can be unpredictable, your business doesn’t have to face them alone. At Skyscraper Insurance, our commitment goes beyond coverage; we provide expert guidance and comprehensive risk management services that empower businesses to stay strong and resilient during hurricane season.

Read More
Safety Tips

How Natural Disasters Impact Supply Chains: Lessons from Hurricanes

Natural disasters like hurricanes wreak havoc on supply chains, causing major disruptions that can affect business operations for weeks or even months. For businesses, it’s critical to understand how these disruptions occur and to take steps to mitigate them. At Skyscraper Insurance, we help our clients navigate these challenges with smart risk management strategies that protect their bottom line. Here’s how hurricanes impact supply chains and what businesses can do to prepare. The Impact of Hurricanes on Supply Chains Hurricanes affect supply chains in several key ways: Minimizing the Impact: Strategies for Business Resilience While hurricanes are unpredictable, businesses can minimize their impact on supply chains through proactive planning: Inventory and Distribution Strategies Hurricanes often lead to localized supply shortages in the regions directly affected, but businesses that rely on global supply chains must also be wary of broader impacts. Global markets can feel the ripple effects as businesses look for alternative suppliers or routes, which might drive up costs and delay deliveries. Supporting Employees and Customers Beyond the logistical impact, hurricanes also bring safety risks to employees and customers. Ensure that safety plans are in place, including clear evacuation procedures and communication strategies. For employees working in distribution or warehouses, it’s essential to prioritize their well-being by closing operations in unsafe conditions and providing post-storm recovery support. Final Thoughts Supply chains are the backbone of many businesses, but they are also vulnerable to the unpredictable forces of nature. By diversifying suppliers, investing in technology, and planning ahead, businesses can minimize the disruption caused by hurricanes and other natural disasters. At Skyscraper Insurance, we’re here to help our clients protect their supply chains and navigate the challenges posed by these extreme events.

Read More
Try your instant quote