Quality liability insurance coverage needed for deluge of cyberattacks on health care ecosystem

Most cyber insurance products promise robust liability insurance protection for, among other claims, privacy lawsuits stemming from the compromise of personal information. This has become critical protection given the alarming rate at which cyberattacks continue unabated on our health care system. As in other industries that have become a target of cyber criminals, no health care industry participant is immune from being targeted. Because of the interconnectivity and interdependency of health care providers and networks, an attack on one participant in the system can create a domino effect whereby numerous other organizations fall victim – as the massive attack on Change Healthcare this past February demonstrates. 

This spring has been particularly tough for health care providers and related entities. A rash of ransomware attacks has plagued the industry. As recently reported in Wired, in April, cybersecurity firm Recorded Future tracked a record 44 cases of ransomware attacks against health care organizations. While ransomware has a pronounced first-party loss exposure associated with it, these malware attacks also invite a host of third-party liability claims. Most modern ransomware attacks present the dual threat of disrupting operations and exfiltrating sensitive information—thus opening the door to privacy class action litigation.

The good news is that specialty cyber coverage and tailored liability insurance products sold to health care providers are available to protect affected organizations hacked or threatened through cyber extortion schemes. Insurance coverage may be available not only under dedicated cyber insurance products, but also under other insurance products such as directors & officers (D&O) insurance, errors & omissions (E&O) insurance, crime insurance, and general liability insurance. The coverages offered by non-cyber specific policies for cyber risks could become an increasingly valuable source of recovery should the market for cyber policies harden, resulting in increased premiums for cyber-specific policies, as is predicted to occur in 2025.

The rules governing information protected by HIPAA pose obvious legal risks to health care providers and their affiliates. Accordingly, insurance should be available where litigation ensues after disclosure of protected health information whether from a hacking event or alleged failure to properly protect/handle information. Most cyber insurance companies offer protection (either as a standard policy provision or coverage enhancement) against privacy litigation that results from hacking or alleged misuse and collection of otherwise protected information. In addition to litigation expenses, cyber liability policies may cover forensic investigations, regulatory defense expenses (including, in some cases, fines), and crisis management expenses.

Non-specialty policies may also provide coverage for such claims, though insurance companies may seek to invoke exclusions not tailored to cyber risks. In a 2016 decision in Travelers Indemnity Company v. Portal Healthcare Solutions, the Fourth Circuit Court of Appeals upheld a district court finding that a commercial general liability (CGL) insurance policy must cover defense of class action privacy litigation after certain protected health information was allegedly placed on the wrong side of a computer server and became searchable online without any safeguards. At issue was whether the inadvertent exposure of the data constituted “publication” notwithstanding that no one appeared to have accessed it. The Fourth Circuit concurred with the trial court that it did.

Regulatory risk is another main exposure for those handling medical/health records.Most quality cyber insurance products will provide meaningful protection against regulatory actions and investigations. This is an important measure of protection as serious breaches of privacy may spur lawmakers, FTC, DOJ and the SEC to aggressively investigate or litigate against those organizations accused of mishandling or improperly disclosing protected information.

For health care companies subject to the SEC’s registration requirements, D&O insurance coverage may become essential now that the SEC has finalized its new cybersecurity rule. The SEC last year initiated litigation for the SolarWinds data breach, naming both the entity and one of its officers as co-defendants. According to the SEC, “SolarWinds allegedly misled investors by disclosing only generic and hypothetical risks at a time when the company and Brown knew of specific deficiencies in SolarWinds’ cybersecurity practices as well as the increasingly elevated risks the company faced at the same time.” In the wake of the cyberattack on UnitedHealth Group subsidiary Change Healthcare, which has frozen payment for providers throughout the U.S. for weeks, Sen. Ron Wyden has called on the FTC and SEC similarly to “investigate UnitedHealth Group’s negligent cybersecurity practices, which caused substantial harm to consumers, investors, the health care industry, and U.S. national security.”

Policyholders should also be mindful that class action privacy litigation almost always follows on the heels of a serious cyber event imperiling the privacy of sensitive health information. Most third-party insurance products (including the third party and regulatory coverage promises of stand-alone cyber insurance policies) should provide a valuable source of coverage for defense costs as well as indemnity coverage. The duty to defend is broad in scope and thus, at a minimum, policyholders should look to secure their defense coverage under the terms of their liability insurance policies when confronted with claims, demands, or lawsuits from third parties—especially as class action privacy litigation has gained more traction in recent years.

CGL and E&O insurance policies can provide valuable insurance coverage for cyber-related claims even where no hacker is present. Sometimes technology fails without interference by a cybercriminal. In such cases, policyholders may have coverage for errors and omissions having to do with the failure of computer systems, software, and hardware. Because the case law continues to be developed around liability insurance for cyber claims, policyholders should always err on the side of providing complete and timely notice of claims and circumstances so that insurance companies and policyholders do not get embroiled in “late notice” disputes.

Unfortunately, claims handling for cyber claims can be more antagonistic under non-cyber-specific insurance products (as in Portal Healthcare). Some insurance companies are of the view that cyber claims should only be covered under the terms of a dedicated cyber insurance policy, and should not be covered under E&O, D&O, and CGL policies, and they will seek to bend various long-standing exclusions to defend against cyber claims.

As cyberattack incidence continues to rise, however, insurance companies seeking to exclude cyber-related losses under non-cyber specific policies are meeting greater skepticism from courts. Indeed, unless cyber risks are explicitly excluded in non-cyber specific policies, courts have shown a recent reluctance to accept the insurance companies’ bald assertions that their non-cyber specific policies are not meant to respond to cyber-related losses. The 2023 case of Merck & Co. v. ACE Am. Ins. Co. (N.J. App. Div. May 1, 2023), although involving a first-party property policy, illustrates this point. In Merck, New Jersey state trial and appellate courts held that the so-called “war risk” exclusion, which bars coverage for hostile or warlike action by any government, did not preclude coverage for the pharmaceutical company’s losses from the NotPetya malware attack in 2017 – even though that attack was launched by the Russian Federation as part of its ongoing hostilities with Ukraine. In denying the insurance companies’ argument that the war risk exclusion applied to state-sponsored cyberattacks, the trial court emphasized that cyberattacks have been a known risk for some time, and that the insurance companies had ample time to update their policies to expressly bar coverage for cyberattacks but that they had not done so. As hospitals have been targets of broad-based cyberattacks believed to have been state-sponsored, including WannaCry and NotPetya attacks, the Merck decision is of special interest.

On the heels of such decisions, however, the insurance industry has begun to add new exclusions expressly addressing cyber risks – including for state-sponsored cyberattacks. These exclusions are not uniform or standard and their inclusion varies from policy to policy. Thus, many avenues for coverage of cyber-related losses continue to exist for policyholders under a variety of insurance policies – including those sold specifically to businesses operating within the health care industry. It remains critical for policyholders to understand the coverages provided by each type of insurance policy they purchase and not be dissuaded should the insurance company adopt an immediate “no coverage” position. Indeed, as recent cases demonstrate, policyholders have had success fighting back against aggressive claims handling tactics and hasty claim denials.

Joshua Gold and Luma S. Al-Shibib are co-chairs of the Cyber Insurance Recovery Group at Anderson Kill P.C. Josh and Luma have obtained substantial recoveries for losses from data breaches, ransomware and phishing attacks under all-risk and fidelity crime policies as well as cyber policies. They can be reached at [email protected] and [email protected].