Medical Cyber Liability and Data Breach Costs

I look forward to seeing so many familiar faces and to meeting some of you for the first time at the upcoming Fall IMGMA show. Please make sure you stop by the TrueNorth booth to say hello and register to win an iPad.  If you haven’t used one before they are very slick and if you already have one, you certainly know they are addictive and having a second would be all the better!

We have spent more and more time internally discussing Cyber Breaches and how we are assisting our clients to be sure that in the event of a breach of personally identifiable information (PII) for your patients / employees they have some, if not complete, coverage. This is a very real and very new threat and one that is expanding by the week.   It is interesting to note that we have only quoted these policies over the last few years but coverage has significantly changed and is much more inclusive now to attack the heart of the problem.

NOTIFICATION COSTS!

Many early internet security and data policies provided small coverage limits but they failed to address notification costs and were mainly intended for defense costs and / or 1^st party liability to help you repair your systems in the event of a breach. Some of the early policies also do not cover physical breaches as well (i.e.: patient paper records or charts stolen or accessed from a recycling or simple error with discarding these records). 

We are advising and quoting complete cyber liability and data breach coverage for all of our clients and paying close attention to notification costs. This expense can add up very quickly and often times is required even in the event that we cannot prove a breach has occurred.   For example if a laptop is stolen or lost or we left a terminal unprotected overnight.  A breach may not have occurred but if we fail to notify our patients and provide the necessary credit and identity protection we open ourselves not only to indemnity costs but also civil, state and federal fines.

Take a look at this example of notification costs from the Ponemon institute:

Top Findings

More organizations favor rapid response to data breaches, and that is significantly costing them: Forty-three percent of companies notified victims within one month of discovering the data breach, up 7 points from 36 percent last year. That growth marks the largest percent increase among data breach response attributes. For the second year in a row, these “quick responders” paid significantly more per record than companies that moved more slowly. In 2010, quick responders had a per-record cost of $268, up $49 (22 percent) from $219 the year before. Companies that took longer paid $174 per record, down $22 (11 percent) from 2009.

For the fifth year in a row, data breach costs have continued to rise: Data breaches continue to cost organizations more every year. Total breach costs have grown every year since 2006. Data breaches in 2010 cost their companies an average of $214 per compromised record, up $10 (5 percent) from last year.

Think about that statistic.  If you are not carrying a separate data breach policy nor have it as an endorsement on your Executive Liability package and you suffer a breach or potential breach it could cost as much as $214/record.  These costs can accumulate very quickly and we are advising all of our clients to at least find out what options are available.  Even a small breach of 100 records could result in ~$21,000 of expense that would be out of pocket.  These costs include the following:

1.       Notifying each patient / record

2.       Establishing a crisis management plan and hotline

3.       Providing access to identity and credit protection services to re-establish patient / employee confidence

4.       Indemnity costs

5.       Defense costs

6.       Civil fines

Data security breaches and compromises of customer and employee data continue to be reported at a high frequency. When a breach occurs, you and your physicians need to be ready to respond quickly and effectively to mitigate its exposure to brand damage and legal liability. Please swing by the booth and we can discuss further.  We can help you determine if you have an exposure and certainly help you identify how to address it.  Below are some additional examples of medially related data breaches.

Data Breach Types

Breaches by third-party outsourcers are becoming slightly less common but much more expensive: Third-party mistakes continued their slight decline in 2010 to 39 percent. The cost of such breaches rose significantly, however, up $85 (39 percent) to $302 per record. These figures may indicate that compliance with government and commercial regulations for data protection are dramatically raising breach costs involving outsourced data.

Breaches involving lost or stolen laptop computers or other mobile data-bearing devices remain a consistent and expensive threat: The prevalence of breaches concerning mobile devices holding sensitive data stayed roughly the same at 35 percent this year, down a point. Per-record costs rose $33 (15 percent) to $258 per record. Our research suggests that device-oriented breaches have consistently cost more than many other breach types. This may be because investigations and forensics into lost or stolen devices are more difficult and costly.

Companies are more vigilant about preventing systems failures: The number of breaches caused by systems failures dropped 9 points in 2010 to 27 percent. Breaches from systems failures averaged $210, up $44 (27 percent). The noticeable drop in breaches from systems failures may point to organizations becoming more conscientious in ensuring their systems can help prevent and mitigate breaches (through new security technologies and/or compliance with security policies and regulations).

Negligence remains the most common threat, and an increasingly expensive one: The number of breaches attributed to negligence edged up a point to 41 percent. Breaches from negligence in 2010 averaged $196 per record, up $42 (27 percent) from 2009. The relatively stable incidence of negligence may indicate that ensuring employee and partner compliance remains an ongoing challenge. These figures may reflect the growing prevalence and cost of malicious breaches, as well as organizations’ growing competency in handling breaches from systems failures and negligence.

Article: Guidance on Iowa Peer Review

Guidance on Iowa Peer Review

By Connie Alt, Esq., Shuttleworth & Ingersoll

Peer Review

Peer review means, very simply, “evaluation of professional services rendered by a person licensed to practice a profession.” Iowa Code §147.1(4).  It applies not only to doctors, but to nurses and other allied health professionals.

Peer Review Records are defined very broadly in the Iowa Code, to include: all complaint files, investigation files, reports or other investigative information relating to discipline or professional competence in the possession of a peer review committee. Iowa Code §147.135(2).A Peer Review Committee is also broadly defined as, “one or more persons acting in a peer review capacity” who are members of the staff, professional society or group medical practice with a formal peer review process.  Iowa Code §147.1(5).

Iowa law provides that peer review records are protected as confidential and privileged and are not subject to discovery or subpoena and are not admissible at trial or hearing.  This protection is based on an “overwhelming public interest” in fostering the continued improvement in the care and treatment of patients including candid evaluations of clinical practices with constructive criticism.

Recent Court of Appeals Decision

Recently the Iowa Court of Appeals, in Orgovanyi v Henry County, et.al., held that based upon the record in that case, the peer review privilege did not protect a ‘patient safety report’ from discovery.  The ruling is concerning, but does provide some direction as to how to modify documentation and procedures so those documents would more likely be protected. The Court made a distinction between loss prevention (not protected) and peer review (protected), and held that the information must be in the possession of the peer review committee –whether or not generated by the committee –to constitute peer review and gain the statutory protection. 

In Orgovanyi, the risk manager had possession of the patient safety report and testified that she would typically analyze these reports and provide summary information to the peer review committee.  She did not testify that she had provided the report to the peer review committee and did not testify that she was an agent of the peer review committee.  Based on this record, the Court found that there was insufficient evidence that the report was “in the possession of a peer review committee or an employee of a peer review committee.”The Court stated that absent other information to the contrary, it was ‘logical’ that the patient safety report was not part of the peer review process but part of the hospital’s “regular risk management system.”

What this Case Means to You

While your institution may approach these types of reports, whether they are called Variance Reports, Patient Safety Reports or Incident Reports, in such a way that you are already protected, you should re-evaluate your quality reporting systems to be sure that you have procedures in place that give you the best chance that all such reports which contain critiques of professionals are protected under the peer review statute.

The following recommendations may be helpful:

• Direct reports to someone who has been designated as an agent of the peer review committee
• Understand as the initial reviewer that possession is only as agent of the peer review committee
• Understand that as an agent of the peer review process, these reports are the beginning of the peer review process and the agent's task is to:
• Evaluate all reports as an agent of the peer review committee
• Send those reports that relate to a healthcare provider's professional care or competence to the peer review committee for review and action as the committee sees fit
• Route reports to the peer review committee and have them reviewed (remember the peer review committee is a broad term and need not be the same for all purposes)
• Modify existing policies so they accurately define the above roles and procedures
• Educate your staff about the broad reach of peer review protections, the meaning of peer review and the requirements to obtain and maintain protection of documents

These recommendations do not guarantee protection of such documentation from discovery in litigation, but modifications to your policies and procedures will go a long way to support the argument that protection does exist.  

Remember there may be more than one way to accomplish effective peer review that provides protection.

For specific wording of the complete Code, see http://www.legis.state.ia.us/IACODE/2001/147/135.html 

About the author:

Connie Alt is an attorney with the law firm of Shuttleworth & Ingersoll.  Her legal work focuses primarily in the area of litigation (medical malpractice, products liability, employment and commercial litigation) and administrative matters for healthcare providers.  Her experience includes more than 40 jury trials, as well as non-jury trials, administrative hearings and appellate arguments.

Attorneys in the Shuttleworth & Ingersoll Health Law practice area represent a number of healthcare providers including regional and county hospitals, as well as physicians, home health agencies, nursing homes, pharmacies and a wide variety of others in dealing with the multifaceted legal issues which arise in the healthcare environment. www.shuttleworthlaw.com