Hospital loses $10m to cyberattack, but broker’s recommendation saves the day

Hospital went $10 million in the red - but it could have been much worse

Hospital loses $10m to cyberattack, but broker’s recommendation saves the day


By Sam Boyer

An independent brokerage made a great call, upping a policy in the nick of time and saving a client from losing millions of dollars. This is the story of what happens when brokers do what they do best.

On April 09, Erin County Medical Center – a 1,000-bed hospital and nursing home in Buffalo, New York – was hammered by a ransomware attack that rendered its computer system useless.

Cyber criminals had infiltrated its security, kidnapping its servers, and encrypting its data. The crooks demanded $30,000 to unlock the thousands of crippled computers.

Celebrate excellence in insurance. Join us at the Insurance Business Awards in Chicago.

But ECMC chose not to pay the ransom, at the advice of cybersecurity experts and law enforcement. The decision was likely made easier thanks to the hospital’s new cyber insurance policy, taken out months earlier at the recommendation of ECMC’s new broker.
As part of a “deep dive” analysis into the ECMC’s risk exposure, brokers at Lawley Insurance recommended the hospital drastically increase its cyber limit, from $3 million up to $10 million.

The hospital has estimated costs relating to the cyberattack have already reached almost $10 million. The broker’s recommendation was timely and necessary.

“Hospitals are targets, and if they are hit they’re going to get hit hard,” said Reggie Dejean, specialty insurance director at Lawley, an independent agency in Buffalo, New York. “These aren’t fender-bender [type claims], these are head-ons when you have large clients like this.

“When we started working with the hospital, we looked at options for them. We gave them pretty significant limit options,” he said. “We did tell them that the $3 million was in no way going to be adequate for what their exposures were.”

ECMC president and CEO Thomas J. Quatroche Jr. told Insurance Business the agency’s coverage increase recommendation was a large part of the hospital getting back to normal. For weeks after the attack, staff had to resort to paper files for everything – until the computers could be remedied by experts.

“By carefully analyzing the potential risks and assessing potential impact on hospital operations, Lawley developed and recommended an insurance policy that will assist ECMC significantly in its post-cyberattack restoration and recovery effort,” Quatroche said.

The cyberattack, and the coverage that went with it, may have occurred south of the border, but it was a good lesson for brokers everywhere, said Ashley Manti, client manager at brokers Pearson Dunn and president of Insurance Brokers Association Hamilton, in Ontario, which is just 70 miles from Buffalo.

“What they’ve done is the same thing that we as brokers are doing, or should be doing, here [in Canada] as well,” she said.

“As a broker, that’s the premise of what we do, and that’s the reason why people choose to be with a broker – because we’re looking at your account as a portfolio and [looking at] what we can recommend as the best coverage and solutions for your business needs.”

It didn’t matter what side of the border the attack took place, Manti said. Cyber criminals do not respect international borders. What is important is that brokers act diligently for their clients and stay on top of their individual needs, she said.

“One of the key things that jumps out [from this case] is that this broker took over this account from another broker. So they didn’t just take it and run with it, they took it and re-evaluated their [client’s] entire program and saw where the deficiencies were, and put forth the proper recommendations. And that’s obviously worked out in the client’s favor.”

Of the $10 million already spent by ECMC on fixing this attack, roughly half was spent on improved computer hardware, software and cybersecurity expertise, according to the Buffalo News. The other half is knock-on spending, including overtime wages for staff and business interruption costs associated with shutting down the systems.

The price tag is severe, for sure. But the hospital decided early on – accepting expert advice – that paying the ransom was not an option. After all, who could guarantee they would have their computers returned to them without the criminals having stolen patient data or laying further traps.

Dejean, at Lawley, said the ordeal still wasn’t over. But that’s part of the process, continuing to handle the fallout of a policy claim.
It didn’t always work out so positively and so publicly when brokers recommended new policies, he said, but this case was gratifying.

“It’s a partnership,” Dejean noted. “We just need to make sure we continue to work with them – because there’s still a long road ahead – to make sure this continues to be the good story.”

Knowing the client and recognizing their risk was important, Dejean said. That may seem a given, but the proof is in the pudding when you hear about large public cases – both positive and negative.

“In some cases it’s easier when you take over an account. That’s when you do your critical analysis. You do a deeper diver, certainly, when you’re looking at a client for the first time,” Dejean said. “But we like to keep that going, too, at renewal time.

“It’s a delicate balance. Obviously you don’t want to always be push, push, push on the sales side. But you want to do what’s best for your client.”

Related stories:
Small business and cyber cover: Agents, what your clients need to know
7 things you do that tell your client, "I don't care"

Keep up with the latest news and events

Join our mailing list, it’s free!