Have you heard? U.S. Risk—same company, same ownership—is now a division of Innovation Growth Partners Specialty (IGP Specialty).

Learn More

USR Top Logo.png

Find a Broker or Underwriter
Make a Payment
Online Quoting

Insights

 

article image 11-1-24.jpgHealthcare Risks: Protecting Patient Records

November 1, 2024

In today’s dynamic healthcare industry, looming threats over the loss of confidential patient records represent a significant liability for medical professionals and practices of every size and type. When patient records are accessed by unauthorized individuals, those records may be used for a wide range of criminal activity.

A Word About Protected Health Information

Protected Health Information (PHI) refers to any data about a person’s health status, healthcare provision, or healthcare payment that is created, collected, or maintained by healthcare providers, health plans, or other covered entities, and that can be used to identify an individual. PHI is defined under the U.S. Health Insurance Portability and Accountability Act (HIPAA) and is subject to strict privacy and security regulations to ensure its protection.

PHI includes both medical information and identifying information, which together make it possible to trace health data back to a specific person. Some common examples of PHI include:

  1. Personal identifiers: Name, address, birth date, Social Security number, and phone numbers.
  2. Medical information: Medical histories, treatment and diagnoses, test results, and prescription information.
  3. Payment information: Billing records and insurance details related to healthcare services.
  4. Demographic data: Race, ethnicity, gender, and age.
  5. Healthcare interactions: Records of doctor visits, hospital admissions, or medical procedures.

Under HIPAA, covered entities (like hospitals, clinics, and health insurers) and their business associates must implement safeguards to protect PHI from unauthorized access, breaches, and improper disclosure. Failure to secure these records can result in legal claims, regulatory penalties, and reputational harm.

Why Do Criminals Target Confidential Patient Records?

Criminals target patient records for several reasons, as these records contain highly valuable information that can be exploited for various illegal activities. The main reasons criminals focus on patient records include:

  • Financial Gain through Identity Theft: Patient records often include sensitive personal information such as Social Security numbers, addresses, birthdates, and financial data. Criminals can use this data to commit identity theft, open fraudulent credit accounts, apply for loans, or file false tax returns. Unlike credit card data, which can quickly become useless if canceled, healthcare information is more permanent and valuable over time.
  • Healthcare Fraud: Criminals can use stolen patient records to commit healthcare fraud by submitting false claims to health insurance providers, Medicare, or Medicaid. They may pose as the patient to receive medical treatments, prescriptions, or medical devices, all billed to the victim’s insurance. This type of fraud can go undetected for long periods, making it particularly attractive to cybercriminals.
  • Medical Identity Theft: In addition to financial fraud, criminals can sell patient records to individuals who seek to obtain medical services or prescriptions under someone else’s identity. This not only leads to incorrect medical records for the victim but can also cause life-threatening consequences if inaccurate information is added to their medical history.
  • Black Market Value: Stolen patient records fetch a high price on the dark web because of their rich combination of personal, medical, and financial details. Criminals and fraudsters looking to purchase this data can use it for a wide variety of illegal activities, making patient records more valuable than other types of personal data.
  • Extortion or Ransom: Criminals may use patient records as leverage to extort healthcare organizations or individuals. In ransomware attacks, criminals may encrypt a healthcare provider’s database and demand a ransom to restore access, threatening to release sensitive patient data if their demands aren’t met.
  • Insurance Scams: Stolen records can be used to make fraudulent insurance claims, collect money from fake claims, or alter information about a patient’s coverage. This can lead to financial losses for insurance companies and higher premiums for consumers.

Healthcare providers, clinics, hospitals, and specialized medical facilities are all at risk when cyber criminals gain unauthorized access to PHI. Without protections in place, those entities may be liable if records are lost or stolen.

Insurance Solutions for Healthcare Operations

Healthcare liability insurance, specifically cyber liability insurance and professional liability insurance, can provide protection to healthcare providers in cases of Protected Health Information (PHI) theft. These policies are designed to mitigate the financial and legal consequences that can arise from data breaches or other forms of unauthorized access to patient records. These insurance coverages offer unique solutions, protecting healthcare businesses and their providers from financial damage when the loss or theft of patient records occurs.

1. Cyber Liability Insurance

Cyber liability insurance is tailored to address the risks associated with data breaches, including the theft of PHI. This type of coverage is particularly valuable for healthcare providers, as it helps protect against the significant financial burdens and liabilities caused by cyberattacks or other breaches of sensitive data.

Coverages under a cyber liability policy can include:

  • Public relations costs
  • Breach response expenses
  • Forensic data analysis
  • Data restoration
  • Ransom payments
  • Expenses associated with business interruption

2. Professional Liability Insurance (Errors and Omissions Insurance)

Professional liability insurance, often referred to as medical malpractice insurance in the healthcare field, can also play a role in protecting against PHI theft, particularly when the theft occurs due to the negligence of healthcare professionals. This type of policy typically covers:

  • Claims of Negligence: If the healthcare provider is sued for failing to adequately safeguard patient records, professional liability insurance may cover the costs of the lawsuit. This includes both defense costs and any settlements or judgments awarded to the plaintiffs.
  • Failure to Prevent Data Breaches: In cases where a breach occurs due to errors made by employees (such as improper data handling or failure to follow security protocols), the policy may provide coverage for claims related to these mistakes.

Speak to an experienced healthcare liability insurance provider to find the right coverages to meet specific needs and risk profiles. With liability insurance in place and best practices for patient records/data protection, healthcare operations can protect against financially damaging claims.

To learn more about insurance solutions for the healthcare sector, visit our Healthcare page. ◼

See more Insights

Overview

Community Associations

Construction

Cyber

Energy

Entertainment

Environmental

Financial Institutions

Healthcare

Management/Professional Liability

Parking Operations

Property

Risk Management

Staffing

Transportation

Workers’ Compensation