A $2.3 million HIPAA settlement by 21st Century Oncology from mid-December 2017 seemed to mostly fly under the radar. A combination of events seems to have helped push the low profile, namely lack of an announcement by the Office for Civil Rights and an unfamiliar venue for approving the settlement, Bankruptcy Court. Instead of an OCR press release, the settlement was buried in a Department of Justice press release, since 21st Century Oncology also settled major fraud allegations. As a result, the fraud took the headlines.
The $2.3 million price tag on the settlement is eye-catching by itself to a large degree. It is a significant amount of money and ranks as one of the higher settlements imposed by OCR. Turning to the facts, 21st Century Oncology learned of the data breach after being notified by the FBI. After learning about the breach, 21st Century Oncology determined that is servers had been compromised for over a month with potential 2,213,957 records impacted. The information included sensitive elements including names, social security numbers, diagnoses, and insurance information.
As any reader of an OCR settlement should know by now though, the internal investigation as to the extent of the breach was not the end of the story. Once OCR came in to take a look around, it found a myriad of violations beyond the impermissible disclosure, including (i) failed to do the necessary risk analysis (a common failing point), (ii) failed to implement all necessary security measures, (iii) failed to regularly review records of information security measures to determine if the network was remaining secure, and (iv) provided PHI to a vendor without executing a business associate agreement. As the list of violations demonstrates, 21st Century Oncology hit some of the major pain points that drives OCR to impose significant fines.
The setup so far is not much different than any number of previous breaches. However, the most interesting part of the settlement is not actually the terms of the settlement with OCR. Instead, the interesting part is the fact that 21st Century Oncology’s insurer, Beazley, assumed the obligation for payment of the fine and payment of 21st Century Oncology’s defense fees. Without having any of the facts from behind the scenes, the apparent willingness of Beazley to assume the costs associated with the data breach is important to show that a cyber insurers would fulfill its obligations.
The cyber insurance field is in a period of settling at the moment. No consistent standard exists in terms of how cyber insurance policies are written, not the least of which what matters will be covered. Some policies will cover breach response, some will only cover aspects of the response, some will cover penalties, and any other number of permutations when it comes to the scope of coverage. Despite the broad range of what coverage could potentially be, an area of contention has been actually paying out when a breach occurs. That is where the real money comes in and when means may be sought to deny coverage.
As noted above, without having the benefit of the background, the order from the Bankruptcy Court approving the settlement with OCR and relief, specifically stated that Beazley, as insurer, would take all actions necessary to effectuate the settlement. Such apparent ease of reaching a settlement offers a glimmer of hope going forward. If insurers will cover costs associated with a breach, including fines and penalties imposed by the government, then cyber insurance may begin to convey real meaning.
As costs and penalties begin to be covered, the next question will be how the cost of such insurance changes and the nature of the terms. As indicated, it is an improvement for penalties to be covered by insurance, but there will still be a number of issues to work out. That will require carefully reading policies as well as all riders and negotiating with insurers for desired coverage.
As is usually the case with a settlement, the 21st Century Oncology settlement carried more import than initially apparent. Maturity of cyber insurance will be important given the increasing number of data breaches and corresponding monetary implications. While it would be preferable to not have this particular market become so experienced, the reality is that such development is necessary and will help all sides.
Post-publication Update: After initially publishing this blog post the morning of December 28, 2017, OCR subsequently issued a press release that same afternoon announcing the 21st Century Oncology settlement. The delay is curious since the story has been well told by the time of release. The delay is also interesting because $2.3 million is a hefty fine, in line with the head of OCR’s desire to seek eye-catching numbers.