A hospital in Pennsylvania recently agreed to pay $65 million to settle a class-action lawsuit over a 2023 cyberattack that exposed the personal data of approximately 135,000 individuals, including sensitive photos of more than 600 patients. Patients and employees affected will receive between $50 to $70,000 each; patients whose photos were leaked online will receive the larger amounts, Insurance Journal reported on Sept. 12.
“This case was even more severe due to the potential emotional distress of having those photos leaked. That is something that is irreparable,” said Kyle Bell-Colfer, Broker, Professional Liability, Burns & Wilcox Brokerage, Chicago, Illinois. “No amount of financial restitution can make these patients whole again.”
Featured Solutions
“With this type of attack, a hospital is going to need IT forensics, cyber experts, call centers, and legal assistance,” said Danion Beckford, Senior Underwriter, Professional Liability, Burns & Wilcox, Toronto, Ontario. “The insurance coverage is there to help them get in front of it with their patients, which is their social responsibility.”
Attorneys say hospital was ‘reckless’ by refusing to pay ransom
According to the law firm Saltz Mongeluzzi Bendesky, which represented the plaintiffs, the Lehigh Valley Health Network based in Pennsylvania was threatened by hackers that sensitive patient photos would be posted online if a ransom was not paid, but the healthcare company refused to pay it, Insurance Journal reported. The law firm described it as a “knowing, reckless, and willful” decision that resulted in patients’ photos being published on the internet along with other data including diagnosis and treatment information, Social Security numbers, and more.
While the FBI advises against paying ransoms to cyber criminals, cybersecurity experts can help companies weigh their options when faced with this type of threat, said Joey Franiak, Broker, Professional Liability, Burns & Wilcox, San Diego, California.
“It is unfortunate if the hospital would have to pay a ransom, but now they have a $65 million class-action settlement and they have lost faith from a lot of their patients, who may move on to other healthcare organizations now,” Franiak said. “The hospital may have been thinking more of the financial cost of paying these hackers, but, if anything, this shows that you need a Cyber policy in place so they can take over negotiations and make sure that data does not get exposed to the dark web.”
With this type of attack, a hospital is going to need IT forensics, cyber experts, call centers, and legal assistance. The insurance coverage is there to help them get in front of it with their patients, which is their social responsibility.
The potential emotional impact on the patients whose photos were posted online is difficult to measure, Beckford added. “They had no say about it, and now they could worry that those images will live on the internet forever,” he said. “The patients could potentially avoid going to the hospital in the future because they are worried about this risk. That is not good for anyone’s overall health.”
According to Beckford, a healthcare company’s senior management team is responsible for notifying the Cyber & Privacy Liability Insurance carrier as soon as possible when a cyber threat or breach occurs. “The Cyber claims team is going to take it from there, and they will look at all aspects for you and what needs to be done at that point,” Beckford said.
With a Cyber & Privacy Liability Insurance policy in place, cybersecurity experts would help guide healthcare companies through the steps of addressing this type of breach — although the decision whether to pay a ransom or not would fall to the healthcare organization itself, Bell-Colfer said.
“The insurance carrier will have a panel of incident response and forensic experts in place that everything runs through. They are going to be the quarterback of your claim, and you want to engage them as soon as possible. They have specific vendors that are very well-versed in negotiating the ransom payments,” Bell-Colfer explained. “Ultimately, the decision to pay or not to pay is solely on the shoulders of the business owner. What can help, though, is that the insurance carrier will have a team that negotiates with these threat actor groups and knows their tendencies well, as they have done this thousands of times. The company is not left to try to deal with negotiations on their own.”
Healthcare companies remain a prime target for cyber crime
When a healthcare data breach occurs, Cyber & Privacy Liability Insurance can also help with notifying patients as well as the state attorney general’s office, HHS, and any other entities that must be notified. It can also provide media relations assistance, regulatory fines and penalties, business interruption expenses and more, Bell-Colfer said. “With a healthcare data breach, there are so many components of that policy that can be triggered, from the initial incident response costs all the way to your class-action settlements,” he said.
More hospitals are realizing the multitude of potential expenses associated with cyberattacks, as healthcare systems continue to be among the most targeted classes of business for data breaches. Healthcare and public health were more affected by ransomware attacks than any other infrastructure sector, according to the FBI’s 2023 Internet Crime Report. Some officials believe the U.S. government’s response to the growing issue is insufficient, NPR reported on Sept. 17. Healthcare organizations in Canada are also facing these risks; in 2019, 48% of all Canadian data breaches occurred in the healthcare sector, according to a 2023 report in the Canadian Medical Association Journal.
“Healthcare is a highly targeted and vulnerable industry,” Bell-Colfer said, adding that the recent $65 million settlement demonstrates the extremely sensitive nature of information held by healthcare companies. “Healthcare data is some of the most coveted on the dark web. There is substantial potential damage that can occur from loss of PHI and other forms of data these organizations hold, as we see in this case with the sensitive patient photos.”
It seems like every day we are dealing with a healthcare hack, unfortunately. … No one thinks about it until it happens to them. Having a plan of action is imperative for any organization. If they are not thinking about cyber risks, they should be.
According to the HIPAA Journal, 725 healthcare data breaches were reported in the U.S. in 2023, impacting more than 133 million records.
“It seems like every day we are dealing with a healthcare hack, unfortunately,” Franiak said. “Data breaches can cause hospital backups, billing delays and other impacts, so hospitals need to make sure they have the best interests of their patients in mind. No one thinks about it until it happens to them. Having a plan of action is imperative for any organization. If they are not thinking about cyber risks, they should be.”
An industry with so much sought-after data “will always be a valuable target for hackers,” Beckford said. “The hackers are getting more sophisticated. They are finding any way they can to get in,” he said. “Healthcare organizations need to be as diligent as possible to make things secure, but these hackers out there are constantly evolving and finding new ways. We always have to stay up to date with it.”
How healthcare organizations can protect themselves
In February, a cyberattack against UnitedHealth affected up to a third of Americans’ data and caused major claims processing disruptions across the country, Reuters reported in May. The breach was reportedly caused by a lack of multifactor authentication, according to CBS News.
“If it can happen to them, it can happen to any organization, regardless of how big or small,” Franiak pointed out. “In the healthcare space, something they should consider is whether they have high enough limits for these types of losses that can occur and whether they are adequately prepared for it.”
When purchasing Cyber & Privacy Liability Insurance, a broker specialized in cybersecurity risks can “look at every aspect of the organization and show them where they could be vulnerable,” Franiak said. “Ransomware settlements are getting larger and larger — we are definitely seeing a trend. It is important to make sure you are constantly doing everything you can to prepare your organization, whether it is through staff training or having plans in place to prevent these issues from happening. A great tool for that is a Cyber & Privacy Liability Insurance policy.”
Large healthcare systems often need multiple layers of Cyber & Privacy Liability Insurance and Excess Liability Insurance to obtain high enough limits for their level of risk, Beckford said. “They build a tower,” he explained. “One market is not usually going to take on the entire risk.”
It is crucial that companies understand what data they hold, where it is stored and how it is protected.
According to Bell-Colfer, the increased “severity and frequency” of data breach claims can also be attributed in part to substantial consolidation in the healthcare industry. “When you have a lot of mergers and acquisitions going on in the industry, there tends to be a potential security gap in those initial months while those entities are being onboarded,” he said. “They are essentially adding another link to the chain that may be more susceptible than others. That can create a glaring weakness until that new entity’s security posture is brought up to the organization’s standard.”
Healthcare companies should ensure all data is protected based on the latest Cybersecurity best practices, including encryption of sensitive data both at rest and in transit. “It is crucial that companies understand what data they hold, where it is stored and how it is protected,” Bell-Colfer said.
Data encryption is a key security tool healthcare organizations can use to help mitigate the total cost of data breaches, Bell-Colfer said, and another is working with a knowledgeable Cyber & Privacy Liability Insurance broker.
“It is vitally important these organizations work with a Cyber Liability broker who understands the differences in policies available and knows which providers have the best claims teams,” he said. “Because at the end of the day, when the house is on fire, who is going to help put it out?”
