Premera Blue Cross, the largest health insurer in the Pacific northwest, agreed in July to pay $74 million to settle a class-action lawsuit over a data breach in 2014, which exposed the personal information of more than 10.6 million people nationwide. =
The Premera breach was instigated by a malicious phishing email on May 05, 2014, to a Premera employee. The employee was tricked into believing the email came from Premera IT, which led to them clicking on to a link that contained malware. The breach went undetected for eight months, exposing personal identifiable information like social security numbers and dates of birth, as well as personal health information.
Large-scale cyber incidents like the Premera breach are the ones that make the headlines. The understandable media bias towards event severity led, in the past, to some smaller healthcare organizations thinking they’re not at risk. There was a conception among healthcare SMEs that: ‘We’re not a Fortune 500 company, so we’re not being targeted.’ This led to many smaller healthcare organizations passing on the opportunity to purchase cyber insurance – something that Tokio Marine HCC is aiming to put right in its upcoming webinar on ‘Cybersecurity for the Healthcare Industry’.
“I think the trend has shifted in that small- and medium-sized enterprises are now being targeted most often,” said DJ Carlisle, senior underwriter – cyber & E&O at Tokio Marine HCC, and speaker in the upcoming webinar. “Obviously, we’re still seeing large incidents like the Premera breach in 2014, but more often now we’re seeing cyber criminals increase their pool of victims by targeting SMEs – these can be small care providers, smaller hospital systems, individual doctor’s offices, and so on – in order to make a quick $5,000-$10,000. There really isn’t anybody that’s not a target right now - and the billions of dollars that these criminal enterprises reap in every year proves that point.”
The Premera healthcare breach is a perfect example of employee error or negligence leading to a cyber incident. One accidental or completely innocent click on to a phishing link can bring a multibillion-dollar giant to its knees. That’s why employee education and training exercises are key, according to Shaunt Mangioglu, senior underwriter – professional lines group at Tokio Marine HCC, and fellow webinar speaker.
He told Insurance Business: “Businesses need to adopt an overall strategy of creating a broad culture of cybersecurity awareness. They should provide formal training for their employees, and conduct tests to ensure that cybersecurity is top of mind. That might include sending out test phishing emails to see which employees might be vulnerable.”
However, no matter how much cybersecurity training a company rolls out, they will never fully eliminate the risk of employee error or negligence. That’s where the value of cyber insurance really comes into play. Ransomware demands today are frequently reaching seven figures, which would severely disrupt a large healthcare business and likely destroy a small one.
“Then there are the privacy issues,” commented Tamara Ashjian, claims manager – cyber and professional lines group at Tokio Marine HCC, and third webinar speaker. “Privacy regulations – both federal and state – are constantly evolving, and the onus is on companies to ensure they’re in compliance with those regulations. The notification guidelines for privacy breaches are very strict compared to regular PII matters, and if companies fail to meet those guidelines, the fines can be heavy. Again, this is where cyber insurance is so important for healthcare organizations.”