The Athens Orthopedic Clinic in Georgia suffered a breach in June of this year. Even though they discovered the breach within two weeks of it occurring, the hackers made off with information on 200,000 current and former patients. The information taken includes names, addresses, socials, birth dates, phone numbers, diagnoses and medical histories.
One of the typical things that companies that are breached do is to buy credit monitoring and/or credit repair services for the victims of the breach.
In this case, Clinic CEO Kayo Elliott said that while they would like to provide credit monitoring services, they cannot afford it.
Law firms are also considering filing lawsuits against the clinic.
Although they do not say so, it would appear that they do not have any cyber breach insurance. The consequence of this is that the clinic may well file for bankruptcy and even go out of business.
If they had adequate cyber breach insurance, then the insurance company would pay for the credit monitoring services and also the legal costs to defend the clinic.
And, the word adequate is important.
Cyber breach insurance is not a “standard form” insurance policy, meaning that the state approves the coverages and forms. Instead, each insurance company is free to do their own thing, create their own policy and create their own exclusions and exceptions.
So, when you are comparing cyber risk policies, make you understand what is and is not covered.
In addition, you should consider how much insurance you need.
In this case, the hackers were only in the systems for two weeks, yet the compromised 200,000 records.
If you assume that it will cost a company $1 a month per client to provide identity theft coverage, then a year’s coverage for their breached clients would cost $1 x 12 months x 200,000 records and that cost, alone is $2.4 million. This does not include forensics costs, legal costs, crisis communications costs, HIPAA fines or any other breach related costs.
So in this hypothetical case, if the clinic had a $1 million policy they still would not have anywhere near enough coverage.
The Ponemon institute puts the average total cost of a breach at around $200 per record. So, in this case, 200,000 records x $200 = $40 million.
Unfortunately, a clinic like this will not be able to afford a policy of this size, but you should consider the potential size of a breach and what your costs are likely to be. Your insurance broker can assist you in estimating these costs.
Even when the breaches are much smaller, the costs can be in the hundreds of thousands to low millions. Is that a cost that your organization can deal with alone? If you don’t have insurance, the answer to that question is yes you will have to deal with it, whether you like it or not.
Information for this post came from ZDNet.