Securing Your Practice Against Data Breaches

September 18, 2014

No business is safe from cyber attacks. Physicians can benefit from both performing due diligence and purchasing insurance to mitigate the risk of loss.

As any publically traded company knows, the Securities and Exchange Commission (SEC) requires that certain forms be filed for material events. On August 18, 2014, in response to a cyber attack that occurred earlier this year, Community Health Systems, Inc. (CHS) filed a Form 8-K with the SEC. A Form 8-K is required under Sections 13 or 15(d) of the Securities Exchange Act of 1934 when certain events occur. This information is important for physicians for two reasons: (1) many physicians are becoming more integrated with hospitals; and (2) from a due diligence standpoint, it is important to know that HIPAA can impact a company's earnings. Just as the data breach at Target last holiday season left the retailer in a subpar financial position, so the reporting of "other events" can impact providers and medical device companies.

Community Health Systems' reported the following:

"In July 2014, Community Health Systems, Inc. (the Company) confirmed that its computer network was the target of an external, criminal cyber attack that the Company believes occurred in April and June, 2014. The Company and its forensic expert, Mandiant (a FireEye Company), believe the attacker was an "Advanced Persistent Threat" group originating from China who used highly sophisticated malware and technology to attack the Company's systems. The attacker was able to bypass the Company's security measures and successfully copy and transfer certain data outside the Company.

"Since first learning of this attack, the Company has worked closely with federal law enforcement authorities in connection with their investigation and possible prosecution of those determined to be responsible for this attack. The Company also engaged Mandiant, who has conducted a thorough investigation of this incident and is advising the Company regarding remediation efforts.

"Immediately prior to the filing of this Report, the Company completed eradication of the malware from its systems and finalized the implementation of other remediation efforts that are designed to protect against future intrusions of this type. The Company has been informed by federal authorities and Mandiant that this intruder has typically sought valuable intellectual property, such as medical device and equipment development data. However, in this instance the data transferred was non-medical patient identification data related to the Company's physician practice operations and affected approximately 4.5 million individuals who, in the last five years, were referred for or received services from physicians affiliated with the Company.

"The Company has confirmed that this data did not include patient credit card, medical or clinical information; the data is, however, considered protected under the Health Insurance Portability and Accountability Act (HIPAA) because it includes patient names, addresses, birthdates, telephone numbers, and social security numbers.

"The Company is providing appropriate notification to affected patients and regulatory agencies as required by federal and state law. The Company will also be offering identity theft protection services to individuals affected by this attack. The Company carries cyber/privacy liability insurance to protect it against certain losses related to matters of this nature. While this matter may result in remediation expenses, regulatory inquiries, litigation and other liabilities, at this time, the Company does not believe this incident will have a material adverse effect on its business or financial results."

This type of event also raises another issue - cybersecurity liability insurance. CHS noted that it purchased this type of insurance. Many companies work with clients of all sizes, including small physician practices, to insure against certain events. A word to the wise, make sure you work with the broker and understand the coverage and terms before purchasing the policy. Because of this precaution, CHS was able to report a very different impact on its financial status. The take-away is that no business is safe from cyber attacks and that physicians can benefit from both performing due diligence and purchasing insurance to mitigate the risk of loss.