Cyber Bytes is S.H Smith & Company's Cyber, Security & Privacy blog – written by the experts you trust.
One of the most common thoughts on how a breach can occur would have to be a hacker gaining access to your network to extract data. While that is a very real occurrence and should be of concern for every business out there, we should also think about more uncommon ways in which a data breach can occur.
I gave you one example in the blog I wrote a couple of months ago about a healthcare breach involving X-rays. If you remember, the X-rays were stolen not for the PHI they contained but for the silver found in them. However, this was definitely a data breach considering the X-rays also contained protected health information which was disclosed in an unauthorized manner.
Here is another example. Affinity Health Plan was recently fined $1.2M for HIPAA violations resulting from a data breach in 2010 involving a photocopier leased by Affinity which still contained protected health information of over 300,000 individuals in its hard drive when it was returned to the leasing agent. Unfortunately, for Affinity the photocopier was purchased, along with three others, by CBS News as part of its special investigation into the secrets digital photocopiers hold.
This is not only a “funky” example of how a breach can occur. It is also a very sobering example of how long it may take to realize all the financial consequences a data breach may involve.
The Ponemon Institute recently released a report on cyber attacks in the healthcare industry, indicating that healthcare data breaches are on the rise.
With 94% of hospitals suffering data breaches at a total cost of $7B to the healthcare industry, healthcare organizations must take steps to improve network security and mitigate this exposure. "ID experts" continues to provide relevant and up to date statistical data that helps our industry improve network infrastructure and decrease liability.
Legislation such as The High Tech Act, HIPAA, the "Red Flags Rule", and state notification statues have heightened awareness and increased penalties for privacy incidents. While healthcare companies have been responsible for only 15% of all data breaches to date, they rank #2 in terms of the total numbers of records lost and the number of records per incident is among the highest of all industries recorded. As most cyber, security and privacy risks are not covered under standard policies, S. H. Smith & Company experts conduct in-depth analyses of current coverage. Contact us today to get started.
Download the full Ponemon report from the ID Experts here.
This week the New York Times published an article about the alarming rise in cyber attacks on America’s universities. Every year universities and their faculty are awarded patents, some of which have the potential to yield tremendous value. According to the article, most of the estimated millions of attacks are thought to emanate from China, which has been the leading source of efforts to steal information for some time now. Rodney J. Petersen—the head of the Cyber Security program at Educause—is alarmed by the recent increase in frequency affecting America’s universities: “The attacks are increasing exponentially and so is the sophistication, and I think it’s outpaced our ability to respond.”
At S.H. Smith & Company, we have partnered with multiple carriers to provide you with the most current & comprehensive coverage available. As foreign attacks are on the rise, no U.S. based company is without risk. The Cyber bubble continues to build; it’s imperative that companies have protection for network intrusions and other wrongful acts occurring anywhere in the world.
You can read the full New York Times article by clicking here.
I’m not sure if all of you have heard about the breach affecting Schnucks Market, Inc. I don’t like to just repeat breach news stories in this blog but rather offer a unique perspective on some of the breaches I come across in an effort to get everyone thinking about cyber risk (and of course cyber risk insurance).
It has been reported that a credit card breach has impacted about 2.4M credit cards used at 79 Schnucks stores from early December 2012 to late March 2013. The breach was caused by malware which accessed credit card information as the transactions where awaiting authorization within the company’s processing system.
Let’s put aside the costs Schnucks has already incurred in forensic costs to determine the extent of the breach as well as the costs incurred to notify consumers of the breach (although I am sure these costs are significant).
As is common in breaches involving consumer data, Schnucks finds itself the defendant of three law suits seeking class action status (and there could be more). As many of you know, the Privacy Liability Coverage of a cyber forms holds a lot of value in its duty to defend these claims. Since consumers are usually not liable for fraudulent charges on their credit cards, damages awarded in these cases have been pretty limited. That may change….
One of these suits allege the breach cost consumers time and money, requiring them to spend hours canceling and getting replacement cards and re-setting automatic payments. If the federal minimum wage of $7.25 is used to calculate how much a consumer’s time is worth then Schnucks may be defending allegations of compensatory damages in excess of $17,000,000 for just one hour’s worth of corrective action spent by a consumer.
This one will be interesting to watch...
The personal information of 10,000 patients was exposed early last week after DENT Neurologic Institute in Amherst, NY mistakenly sent an email to 200 people that included an attachment containing the personal information. Information such as Name, Address, Primary Physician, Last Appointment Date and Email were among the leaked data.
As an attempt to rectify their mistake, DENT called all 200 recipients of the email and asked them to delete it immediately. In addition, DENT will be sending a letter to each of the 10,000 patients whose information was released explaining to them what happened.
DENT's CEO, Joseph Fritz, says the accidental release of information is "mortifying."
The following statement was published in a press release last week:
We are very sorry this happened and we deeply apologize to all of our patients, referring physicians and WNY healthcare partners," Fritz said. "Patient confidentiality is extremely important in our field and we take it very seriously and we will review how this accident happened so we can steps to minimize the possibilities it could ever happen again. This is an inexcusable event."
Fritz said the list was mistakenly attached to a routine e-mail that was being sent to patients by a clerk in the DNI administrative office. "This was a case of human error and the person involved is a dedicated, long-term employee and there was absolutely no malice involved, but that doesn't excuse it," he said.
Fritz said DNI has self-reported the event to the New York Department of Health and take whatever steps the state requires. In addition, DNI will send a letter of apology and explanation to all 10,000 patients and their referring physicians, whose names were on the list.
Human error is a big reason why companies need to protect themselves with Cyber, Security & Privacy Insurance. Mistakes do happen; Contact us today to find out more.