Disclosure, Notification Key When a Data Breach Occurs
The threat of a cyber attack is pervasive and affects all types of businesses, with healthcare organizations recently in the hot seat. There was the massive Anthem breach that affected 80 million individuals followed by the announcement that Premera Blue Cross was hit by a breach that may have affected 11 million current and former customers. How a company handles a breach is critical to its reputation and customer confidence in addition to mitigating potential lawsuits and potential violations.
Premera is good example of what could happen after a breach. The health insurer is now facing five class-action lawsuits and continuing questions from top officials since it disclosed its breach that apparently occurred last May 2014 but was only discovered this past January. The suits, filed in U.S. District Court in Seattle on behalf of Premera customers from Washington, Nevada and Massachusetts, all make similar complaints: Premera was negligent, breached its contract with customers, violated the Washington Consumer Protection Act and failed to disclose the breach in a timely manner.
The complaints say Premera should be held financially responsible for any losses customers suffer, as well as award damages and restitution. Primera should have immediately notified each person whose information was compromised and prevent breaches from happening in the future, according to documents filed with the court. The lawsuits also argue Premera violated the Health Insurance Portability and Accountability Act (HIPAA), as well as the insurer’s own privacy policies, by allowing the data to be accessed. In doing so, the suits say, the company has put customers at risk of identity theft, bank fraud, tax fraud and medical-identity fraud.
Moreover, both Senator Patty Murray (WA-D) and Washington State’s Insurance Commissioner, Mike Kreidler, are particularly concerned about the delay in notifying customers of the breach. According to the Seattle Times, Murray wrote in an email that she was “seriously concerned about the pace of notification, as well as how impacted families and businesses are being informed and assisted.” She said she would “continue monitoring progress closely to make sure all those affected by this breach in Washington state and across the country get the support they need.”
Premera’s CEO Jeffrey Roe in a letter to Senator Murray defended the company’s response to the breach and said it was not yet clear how the malware entered its system. However, Roe’s letter went on to say, once the attackers were in the network, they were able to access login credentials, allowing them to gain broader access to Premera’s computer network. According to the Seattle Times, he reiterated the reason for the delay — the company waited to inform the public until after its information-technology systems were secure. He said that decision was based on advice from Mandiant, a consultant it had hired on computer-security issues.
Full disclosure and immediate notification to patients or customers is of paramount importance when a breach occurs, as evidenced by the allegations now being charged against Premera. Having robust cybersecurity measures along with a Cyber Liability insurance program to respond and pay for the costs of notifications, forensics, third-party liability, crisis management, and regulatory fines is critical. Caitlin Morgan can assist you with your Cyber insurance plan. We specialize in insuring medical facilities and are equipped in securing a program right for your organization.
Source: Seattle Times