A preliminary class action data breach settlement involving Iowa Health System, doing business as UnityPoint Health, should prompt health care organizations to take a second look at their breach insurance coverage as well as their contracts with vendors who process data on their behalf. As reported by HealthITSecurity, the proposed settlement contains no global cap on allowable monetary relief and credit monitoring services which means UnityPoint Health would be potentially liable to each and every class action member up to the maximum individual amount allowed for claims under the class action, regardless of the aggregate amount of other claims. Other recent data settlements, including Banner Health, Anthem, and Premera Blue Cross, although costly, have generally established global caps on settlement costs.
Breach Insurance Considerations
Given the rise in data breaches and related class action lawsuits, adequate cyber and breach insurance coverage is paramount and should be commensurate with the health care organization’s size, operations, risks, type and amount of data. For example, a larger health system may require cyber and breach insurance coverage in the amount of $25 million, whereas a small or mid-sized physician practice may require coverage in the amount of $1 million. A comprehensive policy will generally cover the majority of the more expensive costs which may result from cybersecurity breaches and related claims/settlements, including legal fees, forensic investigation, notification and credit monitoring services costs, and certain business interruption costs. However, coverage will not typically extend to reputational harm, loss of business or regulatory audits.
Although it remains to be seen whether the UnityPoint Health settlement will be approved, the lack of a global cap is concerning for future large scale cybersecurity incidents. Organizations should review their policy coverage on an ongoing basis and ensure it remains appropriate for their operations, data and risks. Responding to data breaches is increasingly costly, particularly as class actions and settlements become more prevalent, and as the amount of data and individuals potentially exposed in the event of a cybersecurity incident increases. Therefore, organizations should err on the side of caution and ensure ample coverage is available in the event of a cybersecurity incident in order to avoid exhausting lower policy limits. Organizations should also ensure that the vendors they contract with are obligated to carry adequate cyber and breach insurance coverage.
As breach insurance is not a substitute for a strong security posture, organizations should additionally remain mindful of their overall security posture. Security assessments should be performed routinely and in response to changes in the organization’s systems or operations. Organizations should additionally ensure that any risks and vulnerabilities identified are documented and mitigated as part of the organization’s ongoing security risk management program.
Limitation of Liability and Indemnification
A second area health care organizations should focus on is their vendor contracts. It is not uncommon to encounter vendor limitation of liability clauses, hold harmless provisions, and one-sided indemnification provisions when negotiating health IT and similar contracts. These provisions can range anywhere from reasonably tailored to the services and risks inherent in the arrangement to overly broad or limited to the point of disclaiming any and all liability related to the vendor services, whether negligently provided or otherwise. Vendors can be highly resistant to changes in these provisions, however, it is important for a health care organization to assess and understand the risks which a vendor arrangement may present to the organization, particularly where a vendor may process a large amount of data on behalf of the organization, and to negotiate these provisions to the best of the organization’s ability to better address such risks.
Guidance issued by the Office for Civil Rights (“OCR”) in 2019 makes it clear that business associates are directly liable under HIPAA. OCR has the authority to take enforcement action against business associates for their own failures to comply with the Privacy or Security Rule and for impermissible uses or disclosures of PHI. However, in the event of a data breach caused by a business associate, a health care organization will still have primary responsibility for responding to and investigating the breach incident and notifying affected individuals. The health care organization is also likely to be the primary target in the event of any subsequent claims, class actions or federal or state regulatory investigation related to the incident. Therefore, an organization should be able to seek reimbursement or indemnification from a business associate where the breach was caused or contributed to by a business associate, even if comprehensive insurance coverage may also be available to the organization.
Common limitation of liability carveouts which are generally negotiated with vendors include claims or third party claims arising out of or related to the vendor’s breach of the business associate agreement, impermissible use or disclosure of PHI, and applicable laws, as well as a carve-out for the vendor’s indemnification obligations. Monetary liability caps should be additionally eliminated or increased where possible to better reflect the nature of the services, data and risks inherent in the arrangement. For example, a monetary cap equal to the amount paid by the organization in the twelve months prior to the incident may be inadequate in the event of a large scale data breach if the organization paid substantial licensing and implementation fees up front in the first year of the contract, pays only a modest amount in annual maintenance and support fees in the second and third year of the contract and experiences a breach in the third year of the contract.
Although vendors may be resistant to overly broad indemnification clauses which work in favor of the health care organization (i.e., “any and all acts or omissions”), health care organizations should generally negotiate indemnification, including defense obligations, from its vendors for breaches of the business associate agreement, impermissible use or disclosure of PHI (including those giving rise to reportable breaches) and applicable laws. Any limit placed on damages, including monetary caps, should include a carve-out for the vendor’s indemnification obligations where possible.
Data breaches are not expected to decrease anytime soon. As data breaches, related litigation and regulatory enforcement continues to evolve, health care organizations will need to remain proactive and mindful of their information security risk management programs, cybersecurity and breach insurance and contract management processes.