CyBIR: Cyber and Privacy Breaches – Insurance and Reinsurance

Data Privacy Lawyers: Walker Wilcox & Matousek Law Firm

Why it Matters if your Medical Identity is Stolen

Posted in Healthcare, medical records, UCLA Health Systems, Year in Review

UCLA Health System is the latest to announce that a data breach may affect as many as 4.5 million people.  So far UCLA has not found evidence that personal or medical information was accessed.

Medical breaches can be as expensive to an individual as a financial breach and involve potentially dire consequences.

What can a stolen medical ID be used for?

  • to obtain medical services at your expense
  • to obtain false prescriptions for sale on the black market
  • to combine a patient number with a false provider number and file false claims with insurers
  • to obtain medical services with the beneficiary’s consent. A substantial portion of identity theft is consensual between friends and family, although this may wane as more people acquire insurance under the Affordable Health Care Act.

What are some of the consequences of medical identity theft?

  • denial of or increased premiums for life or disability insurance based on inaccurate medical history
  • denial of medical insurance benefits because aggregate policy limits were exhausted by fraudulent use
  • improper medical treatment based on inaccurate medical records
  • liability for a fraudulent medical bill, unlike reimbursement for fraudulent withdrawal of funds or credit card use
  • denial of employment if a background search discloses a disqualifying medical condition

Individuals are not the only ones at risks. Heath care providers also can  have their medical provider identifiers stolen.  The most common approaches are:

  • fraudsters use a physician’s medical identifier to make it appear that the provider ordered health services
  • fraudsters use physician’s medical identifier to make it appear that a physician provided and billed services directly even though the physician never saw the patients.  In addition, the IRS may pursue the physician for not paying taxes on income the provider is erroneously recorded as having received.



Court of Appeals Allows Class Action to Proceed Against Neiman Marcus

Posted in credit monitoring, standing

On July 20, 2015 the U.S. Court of Appeals for the 7th Circuit addressed the issue of standing in a suit by class action plaintiffs against Neiman Marcus following a 2013 data breach.  Neiman Marcus Opinion (01008181xAE57E)

In a significant decision by an influential court, the 7th Circuit ruled that plaintiffs showed a substantial risk of harm from the breach and therefore have standing to sue.

The class members alleged lost time and money resolving fraudulent charges and protecting themselves from future identify theft, lost value of purchases that they would not have made had they known of the store’s “careless approach to cybersecurity” and lost control over the value of their personal information.

Allegations of future harm can establish Article III standing if the harm is  impending but allegations of possible future injury are not sufficient.

The Court of Appeals relied on the California federal district court’s reasoning in In re Adobe Sys. Privacy Litigation when it stated “the Neiman Marcus customers should not have to wait until hackers commit identity theft or credit card fraud in order to give the class standing because there is an objectively reasonable  likelihood that such an injury will occur.”  The Court of Appeals commented that it is unlikely that Neiman Marcus offered credit monitoring because “the risk is so ephemeral that it can safely be disregarded.”  It also described credit monitoring costs as a concrete injury.

This opinion is one of the few to find standing in a data breach case but it may be the one that turns the tide for plaintiffs.   It also calls for another look at whether offering credit monitoring escalates a future risk into a recoverable harm.

Who Covers the CIO In a Privacy Lawsuit?

Posted in CIO, Coverage, D&O, OPM

The CIO for the Office of Personnel Management is one of 4 defendants recently sued by the federal workers’ union for failing to correct known deficiencies in the system.   The CIO is a frequent casualty of cyber breaches: Target, AOL, the Utah Department of Health, Ohio University.  It is no surprise then that a CIO’s  average tenure is about 5 years, much shorter than other C-suite executives.

Where is the coverage for a CIO named in a privacy-related lawsuit?  There may not be any if the  CIO falls in a gap between privacy and traditional D&O coverage.

On the D&O side, if a CIO who acts in his official capacity is sued because a data breach causes the stock  to drop or shareholders allege breach of fiduciary duty or an agency fines the company for improper data protection, then a D&O policy could respond. But  many D&O policies contain exclusions for invasion of privacy and loss of or damage to tangible property.  And we have already seen several instances where a CGL policy does not respond cyber incidents.

The typical cyber policy covers first and third party claims such as  notification costs, credit monitoring services, forensic investigations, crisis management expenses, regulatory proceedings and third party liability.   A cyber liability policy will not cover shareholder derivative suits.  Additionally, the limits of a cyber policy may be insufficient for the amount of damages claimed against a CIO.

Among the two, the D&O policy is probably better suited to be amended to cover a CIO’s cyber-related loss.


Would federal cyber legislation apply to a federal agency breach?

Posted in Federal Legislation, OPM

There is no shortage of headlines about the massive data breach at the Office of Personnel Management, which reportedly involves about 25 million former and current federal workers, their spouses and those who applied for government background checks.

There was also no shortage of headlines this past spring when both the House of Representatives and the Senate passed cyber security legislation, although the bills have not been reconciled.   So how would the federal legislation apply to the OPM data breach?

It wouldn’t.  The House and Senate measures  push U.S. companies to voluntarily share “cyber threat data” and access to networks by federal investigators.  There is limited protection from liability if personal data is disclosed while being shared.

But neither the House nor Senate legislation requires increased protection of data to prevent or minimize a breach or any notice or monitoring after a breach.  “Non-federal entities” do not appear involved in the OPM breach, so a threshold trigger for the legislation does not exist.    And buried deep in the House bill is this limitation: the NCCIC which receives the shared data shall not have more than 50 permanent positions including contract employees.  Even if the laws did apply to the OPM breach, how much could a 50-person staff accomplish in the face of 25 million involved individuals?

The federal government may have taken a step forward with the legislation, but it would have no effect on a data breach among its own.

Aggregation of Cyber Losses: A Small World Can Be a Dangerous One

Posted in aggregation

Business Blackout is a joint report just issued by Lloyd’s and the University of Cambridge’s Centre for Risk Studies. It analyzes the insurance impact of a hypothetical attack on power grids that serve 93 million people in the U.S. The fall-out is worse than any disaster movie: financial markets close, products in ports remain unloaded, people cannot get to work, food goes bad from lack of refrigeration, water runs low, hospital generators fail, ATMs run out of cash, tourism halts, social unrest intensifies. The indirect losses continue for years around the globe.

Loss aggregation has emerged as one of the great uncertainties because insurers may have multiple businesses lines affected and reinsurers may have multiple cedants involved in one occurrence. The variety of insurance lines may include property, liability, business interruption, D&O, event cancellation, workers comp, homeowners and auto.

The risk is not just an accumulation of expected cyber losses, but also what the report calls “silent cyber” exposure – when insurers’ portfolios are hit with cyber losses that were neither expected nor priced.

The Blackout scenario is an exaggerated one and unlikely to occur. But the report effectively demonstrates that cyber losses are not restrained by territory or time.  Those insurers writing cyber losses need wordings to protect themselves from the falling domino, and those who think they do not insure cyber losses may want to look again.

Celeste King to Moderate Panel on Cyber Threats to Medical Profession and Developments in Insurance at Crittenden Medical Insurance Conference

Posted in Uncategorized
Celeste King will moderate a panel on cyber and privacy threats to the medical profession and developments in cyber/privacy insurance for the medical profession during the 2014 Crittenden Medical Insurance Conference scheduled for March 30-April 1 in San Diego.   Celeste’s panel includes Jeremy Henley, ID Experts, Jean Liu, Director of Compliance Management for Accretive Health and John B. Graham, Professional Liability Product Manager for Zurich North America.  For further information click here(PDF) or visit the Crittenden website:

Meetup.Com Refuses to Pay $300 Ransom to Hackers – Site Struggles to Stay Online

Posted in Uncategorized

From the Chicago Tribune on March 3, 2014:

Social networking website is fighting a sustained battle against cyber attackers who are demanding only $300 to call off a campaign that has kept the site offline for much of the past four days.

The site, which enables strangers to meet for activities of shared interest such as sports and other hobbies, could not be accessed early Monday afternoon.

A Meetup blog said that the company was a victim of a distributed denial of service (DDOS) campaign, a type of attack that knocks websites offline by overwhelming them with incoming traffic. It said that no personal data, including credit card information, had been accessed.Meetup’s co-founder and CEO, Scott Heiferman, said on the company’s blog that it was the first such attack in the site’s 12-year history. He defended the move not to pay the paltry ransom. “We made a decision not to negotiate with criminals,” he said. “Payment could make us (and all well-meaning organizations like us) a target for further extortion demands as word spread in the criminal world.”

He said the small amount was likely a trick and that the perpetrators of the sophisticated attacks would likely demand more… Heiferman’s blog post said the site should be able to protect itself over time, even though it has struggled to stay online since the attacks began on Thursday morning.  He said Meetup spent millions of dollars a year to secure its systems.

The Meetup site and related mobile apps have been intermittently unavailable since Thursday.

One Beacon Files DJ: No CGL Coverage for Retailers in Zip Code Disputes

Posted in Coverage, Credit Card Transaction, Damages, Declaratory Judgment Litigation, Insurance

OneBeacon  America Insurance Company filed a DJ against retailers Urban Outfitters and Anthropologie in federal court in Pennsylvania on September 10, 2013.  The retailers have been sued in “Zip Code Actions” brought by consumers alleging that the stores request zip codes when completing credit card transactions, a practice that allegedly violates consumer protection and privacy laws in the District of Columbia, Massachusetts and California. OneBeacon Declaratory Judgment Complaint

The complaint seeks a declaration of no coverage for defense or indemnity under the OneBeacon CGL and Umbrella policy primarily because:  (1) the ZIP Code Actions do not allege ‘personal and advertising injury’ as defined in the policy; (2) the policy excludes recording and distributing material information that violates the law; and (3) the policy excludes known violations.

This case comes less than a month after Liberty Mutual filed a DJ in Missouri against Schnuck Markets, also seeking a declaration of no coverage under a CGL policy for the grocery chain’s data breach.

These two coverage disputes arise from different facts but they both demonstrate potential problems when a privacy/data security dispute is tendered under a traditional CGL policy.  Companies that believe they already have coverage for privacy/data disputes may want to take a look at these lawsuits and compare them to their own business risks and their current wordings.

4 Stolen Unencrypted Laptops = 3 Class Actions

Posted in Advocate Health Care, Class Action, Health Records Privacy, HIPAA, Illinois, medical records

At least three class action lawsuits have been filed, two in state court and one in federal court, after Advocate Medical Group in Illinois reported four stolen laptops containing protected health information of 4 million patients.   The breach is believed to be the second largest loss of unsecured PHI since mandatory reporting began in 2009.

On July 15, 2013, four password-protected but unencrypted laptops were stolen from Advocate’s offices outside of Chicago.   The laptops allegedly contained names, addresses, dates of birth, social security numbers, medical diagnoses and health insurance information of 4.03 million patients.

About a month later, Advocate began notifying affected individuals by letters.  Advocate offered credit monitoring, established a call center, created a website and stated that it has enhanced security measures and conducted a thorough review of policies.

The federal complaint was filed August 30, 2013 in the US District Court for the Northern District of Illinois (Advocate Class Action- Federal Court) and the state court actions were filed in Cook County, Illinois on September 4, 2013 (Advocate Class Action State Court (Lozada) and on September 5, 2013 by the Clifford Law Office Advocate Class Action State Court (Petrich)

The breach is also being investigated by the federal OCR and the Illinois Attorney  General’s office.