Guest Column | May 10, 2019

Why More Medical Professionals Are Getting Data Breach Insurance

By Kayla Matthews, Productivity Bytes

HHS Closes ‘No Hospital’ Loophole In Some Insurance Plans

Many medical professionals get malpractice insurance for protection against losses associated with alleged errors. However, there's another kind of coverage that's increasingly necessary for them: data breach insurance.

What Is Data Breach Insurance?

The specifics of a data breach insurance plan vary by provider. Generally, though, it covers expenses related to data breaches and the costs to recover from them. The coverage usually extends to malicious attacks, plus unintentional events that lead to losses, such as coding mistakes that leave patient information exposed.

Sometimes, data breaches are among the issues covered by medical malpractice insurance or general business coverage. The typical problem in those cases, however, is that the coverage limits often fall far short of what victims need to recover. According to one person who weighed in about data breach insurance for physicians, a five-member practice should have $1 million worth of umbrella coverage for their facility.

Having that coverage can cost several thousands of dollars per year, but the insurance is a smart investment considering how severe breaches can be and the effects they can have on businesses.

The Losses For Healthcare Businesses Are Especially Costly

One reason why medical professionals realize it's time to get data breach insurance is that they think carefully about the potential losses and decide they can't afford to operate without it. Research shows that the per-record losses for healthcare are almost three times greater than the cross-industry average, amounting to more than $400 per record.

Hackers May View Doctors' Offices As Easier Targets

Hospitals experience data breaches regularly, and some of them are so problematic that the facilities have to temporarily stop using all computer systems or direct incoming patients to other locations. Security professional Mark Dill says doctors' offices could be the weak links that hackers target with things like malware. That's because medical practices may not take security as seriously as hospitals do.

Dill also says it's important that smaller medical practices don't try to make comparisons to the cybersecurity strategies in place at large academic medical centers. However, they should have cybersecurity plans that match their capabilities.

Some Plans Cover Third-Party Negligence

Many medical providers rely on third parties to take care of some of their business needs. When professionals investigate to see what a data breach insurance plan includes, they may want to find options that cover claims stemming from third-party negligence.

In a case in Ireland, the Saolta University Hospital Group sent one of its computers for repair in the United Kingdom. Instead of returning it, the repair provider reconditioned the device and gave it to a different hospital. The other hospital's IT department realized the computer still had data on it and informed Ireland's health authority.

That example shows how data breaches can happen in a wide variety of ways, and third parties may be the culprits. Data breach insurance could give extra peace of mind in cases where doctors' offices have above-average cybersecurity strategies, but they are worried that third-party entities may fall short.

Some Attacks Have Severe Consequences

Unfortunately, many cyberattacks are not mere inconveniences at physicians' offices. Some of them prevent patient appointments, leaving those people without medical care and directly impacting profits for the providers.

In an incident in northeast Ohio, a practice got caught in a cyberattack at a medical records company affecting millions of patient documents. Physicians at the facility said they were not able to access any of the records for their 8,500 patients. As such, they had to stop seeing them. Representatives at the practice said previous outages of this type lasted for only an hour or so, but this problem persisted for days.

That outcome is bad enough, but the effects of such attacks can be permanent. One two-doctor practice in Michigan had to cease operations. Everything started when the office's system was infected with ransomware that proceeded to delete and overwrite every medical record.

Since there was no way to tell which patients had upcoming appointments to call them and tell them not to come, one of the doctors sat in the waiting room for weeks waiting for people to arrive and explaining the issue.

The hackers promised to restore access to the files for a $6,500 payment. However, the physicians decided not to pay it because they had no guarantee it would get results or that the malware wouldn't strike again. They ended up closing the practice and retiring about a year earlier than planned.

Medical Facilities Are Unlikely To Have Data Breach Coverage

Due to the severity of the examples above, people might think that, by now, most medical practices have coverage. However, findings from FICO about businesses with cybersecurity insurance showed that companies in the health sector were the least likely to have such protection.

Overall, 24 percent of U.S. executives admitted their firms did not have cybersecurity coverage. In the healthcare sector, the percentage of entities without coverage balloons to 70 percent.

A different study showed that if physicians have not experienced cyberattacks, they're in the minority. More specifically, research from the American Medical Association found that 83 percent of physicians reported cyberattacks.

These findings show that although many health facilities don't have coverage, they need it.

Data Breach Insurance Is Increasingly Necessary

Although cyberattacks vary in the kind of information taken and the duration of issues, it's essential for physician practices to invest in data breach insurance. Beyond incidents with malicious intent, sensitive information can be exposed due to carelessness or errors.

The associated costs can quickly rack up, whether from trying to repair the vulnerability or regain stability after temporarily closing. Data breach insurance can help physicians feel more prepared against possible cyberattacks and better able to recover after they happen.

About The Author

Kayla Matthews is a MedTech writer whose work has appeared on HIT Consultant, Medical Economics and HITECH Answers, among other industry publications. To read more from Kayla, please connect with her on LinkedIn, or visit her personal tech blog at