According to an article written on January 30, 2017 by the Managing Editor of The Cyber Security Source, Ransomware attacks quadrupled in 2016 and are anticipated to double that in 2017. Many of these risks came after a staff member accidentally opened a file or a laptop/pad/phone was lost or stolen. Interestingly, ransomware attacks seem most common at the end of a financial quarter or during busy shopping periods.
Recently, there have been of a number of healthcare organizations that have had their information held at ransom impacting their internal data system, the confidentiality of their electronic records as well as their employee information.
Please note that this is indeed a breach and under Florida Law you must notify your patients within 30 days of the Ransomware attack or your organization could be fined a fee per patient per day back to the date of the breach. The average cost-per-record in a healthcare breach is $402, according to statistics from Ponemon Institute’s 2016 Cost of Data Breach Study: United States.
This could potentially destroy a practice.
Organizations either paid the requested ransom (via PayPal or Bitcoins) or used the information stored on their most current backup and moved on, failing to notify their patients as they did not feel that this was a real breach.
Florida Notification Obligation:
“501.171 Security of confidential personal information.—
(1) DEFINITIONS.—As used in this section, the term:
(a) “Breach of security” or “breach” means unauthorized access of data in electronic form containing personal information. Good faith access of personal information by an employee or agent of the covered entity does not constitute a breach of security, provided that the information is not used for a purpose unrelated to the business or subject to further unauthorized use.
Read more on the “501.171 Security of confidential personal information” Section of Florida Law.”
Steps to Follow if You Encounter A Breach:
- If you encounter a Ransomware Breach, contact you cyber policy hotline or your malpractice insurance company’s claim manager.
- You will be assigned a Breach Coach who will access the incident and determine if claim should be filed.
- If a claim is filed, a call will be initiated between the Carrier, your agent, and a 3rd Party Forensic Law firm that the carrier has a contract with.
- The 3rd party Forensic Firm will remotely log into the affected system to access the depth of the damage determining what happened, how it was affected, take the necessary steps to get the system up and running.
- Hire a PR firm to coach the insured on the best way to notify their patients and staff
- Determine the damage for Business Interruption reimbursement
- Set up a call center to answer calls once the patients/staff have been notified and for credit card monitoring.
To learn more about Cyber Insurance options please visit the Emerald Coast Medical Association website to speak with Executive Director, Michelle Flaat or the Danna Gracey Insurance Specialist, Julie Danna.