As discussed Friday on the Hunton Privacy and Information Security Blog, the U.S. Department of Health and Human Services has imposed a non-appealable $3.2 million fine on Children’s Medical Center of Dallas due to breaches of HIPPA-protected information. The breaches allegedly occurred in 2009 (when an employee lost an unencrypted Blackberry containing electronic protected health information (ePHI) for 3,800 individuals); 2010 (when a medical resident lost an “iPod device” synced to a hospital email account, compromising the ePHI of at least 22 individuals); and 2013 (when an unencrypted laptop, which contained ePHI for 2,462 individuals was stolen from the hospital). The government’s investigation allegedly led Children’s Hospital to admit additional thefts of devices containing ePHI in 2008 and 2009.
These allegations, along with other points raised in HHS’s correspondence to the hospital, underscore common hurdles to coverage that policyholders may face when seeking reimbursement for government agency fines for ePHI-related losses:
- Coverage for Regulatory Fines. Coverage for regulatory fines is now a common part of cyber insurance portfolios; however, some policies still contain antiquated or unreasonably broad fine-related exclusions that should be negotiated out of implicated policies.
- The Unencrypted Devices Exclusion. Many insurers require encryption, period. Indeed, inability to guarantee complete encryption may stop coverage negotiations in their tracks. Other policies require encryption, implicitly, through the use of exclusions precluding coverage for claims for the breach of non-encrypted data, which may be modified or eliminated before policy placement under the right circumstances.
- The Prior Knowledge Exclusion. Insurance policies exclude claims that result from situations which the insured could have reasonably foreseen would occur. Relatedly, insurers have been known to rely on inaccurate, incomplete, or omitted answers to insurance application questions about prior loss and current security measures to rescind coverage.
Here, HHS reported that Children’s had been notified in 2007 and 2008 by independent threat analysis companies that encryption was necessary to protect its devices, but failed to implement encryption on all devices until at least April of 2013. Knowledge like this, especially in the absence of actual or attempted corrective action, may be used to deny coverage.
- Retroactive Dates. Policies of all kinds will include retroactive dates and attendant exclusions that bar coverage for failures and events occurring prior to the given dates. Ideally, “retro” dates should precede the policy’s inception date by at least 2 years. However, the appropriate retroactive date will depend on the business’s risk, loss history, and any premium hikes that accompany a broader retroactive period. Here, Children’s Hospital would have needed a substantially broader retroactive period to bring the losses that led to the government fines within the scope of coverage.
- Fine v. Settlement. HHS noted that Children’s did not request a hearing within the necessary time-period, resulting in the non-appealable fine. The decision to forego a hearing or a negotiated settlement may have been a strategic determination made with its insurer, who would usually have expansive rights to control any defense or potential settlement with respect to covered claims. Notably, failure to include the insurer in the decision-making process about how to respond to or resolve a claim may be a hurdle to coverage, especially where the insurer’s rights have been prejudiced.
These are just a few of the common hurdles to coverage when faced with a regulatory fine. Using experienced coverage counsel can help insureds minimize the impacts of these hurdles and otherwise fill gaps in coverage, even when a loss history is less than stellar. Hopefully, Children’s has good policies and the right broker-outside counsel team in place so it won’t be out-of-pocket for the loss.