Julie Danna
By Vanessa Orr
The cyber breach that occurred at Tallahassee Memorial Healthcare System (TMH) in January 2023 highlights the importance of cyber insurance for organizations of all sizes. The TMH cyber breach compromised the protected personal and medical information of 20,376 patients, including their social security numbers, dates of birth, treatment information, health insurance information and more.
The breach is one of the largest cyberattacks in Florida healthcare industry history, and the potential financial impact on TMH could be significant. The healthcare system could face legal and regulatory penalties, as well as the costs associated with notifying affected patients and providing them with identity theft protection services.
“Cyberattacks like this occur almost every day – it’s not if it will happen, but when,” said Julie Danna, Senior Vice President, National Health Care Practice, Danna-Gracey, a Division of Risk Strategies. “A trusted staff member might open a spreadsheet that they think was sent from their employer, but it is a breach designed to put the computer system on lockdown until the company pays a ransom. If the company doesn’t have cyber insurance, they might have to come up with hundreds of thousands of dollars to pay the ransom, get their system running again, and reach out to every patient who was affected by the breach.
“There may also be fees and fines to be paid, as well as the cost of a public relations campaign to help restore the company’s reputation,” she added.
Cyber insurance is designed to help organizations manage the risks associated with cyberattacks, including data breaches, theft of sensitive information, and other cyber threats. Cyber insurance policies typically provide coverage for a range of expenses that may arise from a cyber-attack, including costs associated with:
- Ransom payments
- Investigating the breach and identifying the cause of the attack
- Notifying affected individuals, including providing identity theft protection services
- Business interruption costs, such as lost income or revenue
- Legal expenses, including defense costs and settlements
- Regulatory fines and penalties
The importance of cyber insurance is not limited only to large organizations like TMH. Small and mid-sized businesses are also at risk of cyberattacks, and the potential financial impact of a breach can be devastating. Cyber insurance policies are available for organizations of all sizes, providing protection against the costs associated with a cyberattack.
“There’s a fallacy that only big organizations get hit, but that’s not the case,” said Danna. “These actors actually target small to mid-sized companies because they don’t have large IT departments, meaning that their information isn’t as secure. Unfortunately, healthcare is the industry that has the most financial rewards for criminals because they can access so much information by simply breaching a practice.”
Fortunately, the cost of a cyber insurance policy is affordable; especially when a company considers what it could lose without one.
“A smaller practice can get a cyber insurance policy that covers $1 million in damages for a few thousand dollars,” said Danna. “The premiums are low compared to the cost of a breach, which should cover ransomware as well as give the company coverage for business disruption if they can’t get access to their systems.
“Companies can be fined per day per patient for the patients who they haven’t informed of the breach, and a cyber policy can set up a PR division to reach all of these patients, as well as the cost of attorneys who need to get involved,” she added. “The cost of this insurance is worth peace of mind.”
Danna noted that it’s important to work with an agent that specializes in cyber insurance policies as each carrier and each policy is different. She also cautions that those who have a cyber policy on their medical malpractice insurance need to understand that those policies only cover $50,000 of damages.
“Many times, if a practice has been breached, the practice has to pay upfront and then get reimbursed; it’s kind of like a Band-Aid that hurts you instead of helps you,” she said. “It’s definitely not enough.”
With the increasing frequency and severity of cyberattacks, organizations of all sizes must take proactive steps to manage their cyber risk, including bolstering IT departments and investing in cyber insurance policies. By doing so, organizations can better protect themselves against the financial consequences of a cyberattack and provide their patients with the peace of mind that their information is protected.
For more information, contact Julie Danna at jdanna@risk-strategies.com, call (850) 530-3924 or visit www.dannagracey.com.
