More than a third of healthcare-industry cyber claims are down to employee negligence, according to 2016 claims data from one insurance carrier.
NAS Insurance recently released its “2016 Trends and Insights cyber claims digest”, which revealed healthcare employees are causing plenty of claims activity by sending patient information to incorrect recipients.
Celebrate excellence in insurance. Nominate a worthy colleague for the Insurance Business Awards.
Mike Karbassi, vice president of tech and cyber underwriting at NAS, said the healthcare negligence claims were “very hard to underwrite”.
“It could be a situation where a healthcare employee is sending or faxing patient records to an incorrect fax address or email address,” he said. “We’re seeing that happening. We’re seeing paper files being left behind in the open where somebody could pick them up. We’re seeing lost mobile devices.
“It’s an exposure that’s very difficult to underwrite too – it’s basically human error. I feel like that trend has been there for quite a while now. For the most part they’re smaller [claims], but that’s not to say there haven’t been instances where larger Excel spreadsheets filled with data are sent to a wrong email address.”
The 2016 report analyzed more than 900 claims from NAS policyholders that were closed last year.
Though the top category for breaches in healthcare was negligence (35% of claims), in the non-healthcare realm the greatest claim driver was “other”, which encompassed “phishing attacks, cyber extortion, malware, and wire transfer fraud.”
Meanwhile, Karbassi said claims for ransomware – 16% of non-healthcare claims and 11% of healthcare claims – continue to be a growing trend.
Looking forward, the report predicts that a growing insurance cost for 2017 will be “IT forensics”, which is built in to many cyber products on the market.
“The cost of digital IT forensics can be very expensive, depending on the nature of the breach. Typically with a ransomware incident it’s not necessarily known right away how that incident occurred. So, in order to get to the root of the problem, identify it, and come up with a solution, it’s not uncommon to hire a team of digital forensic professionals to get to the source of it,” Karbassi said.
“Some of the cases are very cookie-cutter and easy to identify … but other cases it could be a very sophisticated breach … where it could go undetected for an extended period of time. And in those instances, it will take a lot more digital forensics work to identify the source cause, and that’s where you see the total cost get pretty expensive fairly quickly.”
Related stories:
Why cyber claims will continue to grow
Ransomware: The good and the bad for cyber insurers