Cyber Breach & Claims Examples

A healthcare organization’s employee posted patient treatment information on a social media website. The employee did not include the patient’s name, but because the disclosure occurred in a small town, the public could determine the patient’s identity. Cyber Services connected the organization to expert privacy legal counsel, who provided advice on notification to t individual, as well as satisfying the necessary regulatory response.

A healthcare organization was attacked by a sophisticated foreign phishing attack which exposed information in employee email boxes of nearly 20,000 pediatric patients. Employees had clicked on the phishing emails and either gave up credentials or launched malware into their network. Forensics found some evidence of data exfiltration. The data contained patients’ name clinical information, phone number, addresses, insurance information and some social security numbers. Cyber Services coordinated outside legal counsel, forensics, notification, a call cent vendor, and credit monitoring. An Office for Civil Rights (OCR) investigation is pending.

Imposters posing as an x-ray disposal vendor stole barrels of x-ray films from a hospital loading dock. The hospital’s employees did not ask for identification nor did they question why the vendor’s employees were not in their usual truck and uniforms. The stolen barrels contained several hundred patient x-rays. The hospital worked with Cyber Services and panel counsel to draft notification letters, frequently asked questions and a media statement.

An IT vendor had inadvertently unsecured a file containing over 30,000 patients’ billing information such that it was searchable on the internet using search engines such as Google. The hospital discovered the incident during security testing when a larger healthcare system acquired the hospital. The information exposed included names, social security numbers, date of births, addresses, treatment information, and insurance information. The hospital utilized outside legal, forensics, notification services, a call center, credit monitoring and crisis management. The hospital was investigated by OCR and four attorneys general.

Unencrypted backup tapes were lost that contained 1.6 million pediatric patients’ billing information including names, date of births, social security numbers, diagnosis codes and health insurance information. The tapes also included employees, physicians and vendors information totaling 200,000 individuals. The tapes were believed to have been lost during a remodeling project in the IT department. The healthcare entity used a notification vendor, a call center, credit monitoring, legal, forensics and crisis management, all which were coordinated by Cyber Services. There was an OCR investigation that lasted 3.5 years and was ultimately dismissed.

A laptop was stolen from a physician’s office. The thief, impersonated as a construction worker, entered the physician’s office area when the hospital was undergoing an expansion. The laptop was one of a few that was unencrypted as it was bought with departmental funds outside of the normal procurement process and did not go through IT for encryption. The laptop contained pediatric patients’ names, treatment information, and diagnosis. Cyber Services was contacted and assisted with outside legal counsel. An OCR investigation lasted for 4 years and was ultimately dismissed.

A healthcare organization’s offices in Phoenix, Chicago and Nashville were affected by the Pink Slip virus. Forensic investigators determined that protected health information and personally identifiable information were not compromised by the incident. Unfortunately, the healthcare organization incurred data losses and expenses in responding to the virus, and Beazley paid over $120,000 in data protection loss.

After a nursing home employee resigned, the home discovered that she had emailed herself patient records. Cyber Services connected the nursing home with panel privacy counsel, and after investigation and interviewing the former employee, counsel helped the home determine that notification was not necessary as the files were never used and had been deleted.

A laptop was stolen from an assisted living facility employee’s vehicle. Cyber Services connected the facility with panel privacy counsel, and together they determined that no PHI was stored on the laptop, and thus, notification was not necessary.