Chance Encounter Results in Privacy Breach
By Susan Decareaux, CPCU, RPLU, CISR
The following article is based upon an actual claim situation experienced by an SVMIC policyholder. The details have been altered to protect our policyholder’s privacy.
What images do the terms “security breach” or “privacy breach” conjure up when you see them? Most people think of ransomware attacks or identity thieves hacking systems and stealing personal information, as these instances are so prevalent in the news. While security or privacy breaches often involve electronic systems, the terms may also apply to non-electronic records.
Dr. Collin James,* a pediatrician, enjoyed practicing in the small community where he and his family also lived. One evening on his way home from a busy day seeing patients, he stopped by the grocery store to pick up some items for dinner. While contemplating the butter selection in the dairy section, a woman approached him with a small child.
The child was a patient of his, and Dr. James recognized his mother and the boy immediately. After greeting them warmly, the mother of the child mentioned that her son was still running a low-grade fever, even though he had taken antibiotics since they saw Dr. James in his office a week ago. She asked him what to do and Dr. James advised that if she was concerned, she should take her son to the emergency department at the local hospital, or if she thought he could wait, she should phone the office in the morning and he would be happy to see her child. She said she would think about it and would probably call him in the morning.
Dr. James asked the woman to remind him of her child’s date of birth and full name so that he could let his office staff know to check on her son in the morning if they have not heard from her. He wrote this information along with a quick summary of their conversation on the back of his grocery list, with the intention of adding notes regarding this encounter into the boy’s medical record as well as following up with the patient.
Once Dr. James got home and unloaded the groceries, he proceeded to log in to his laptop and access the office medical records to enter his notes. He looked in his pocket where he had kept his grocery list, and it was not there. He took all of the grocery bags out of the recycle bin and checked for the note there, to no avail. He traced his steps back to the car and looked all over the car, including the trunk, but he could not find the note.
He returned to the store, scanning the parking lot and then searching throughout the store but could not find the note anywhere. Dr. James remembered the name of the child, but recognized the possible ramifications of the disclosure of protected health information, which included the child’s full name, date of birth and notes regarding his condition.
As soon as Dr. James got to the office in the morning, the first thing he did was to ask his staff to follow up with the patient. The second thing he did was call SVMIC, since he knew his coverage included $50,000 of cybersecurity insurance coverage.** He spoke with an SVMIC claims attorney, who then forwarded the information to NAS Insurance, SVMIC’s partner in cybersecurity coverage.
The cybersecurity coverage included coverage for “a claim for an actual or alleged security and privacy wrongful act.” A “security and privacy wrongful act” as defined in the endorsement is “the failure to prevent or hinder a security breach, which in turn results in…the theft, loss or unauthorized disclosure of electronic or non-electronic confidential commercial, corporate, personally identifiable, or private information that is in an insured’s care, custody or control.” NAS was able to assist Dr. James in determining how he should proceed in mitigating any damage caused by the lost note, including notification of the patient.
In addition to the cybersecurity coverage through NAS provided in SVMIC’s medical professional liability policy, there are other tools available to our policyholders. Through SVMIC’s partnership with NAS, our policyholders have access to NAS cyberNET. This site features monthly cybersecurity updates, webinars and online training and support. Access this site here. In addition, SVMIC’s Medical Practice Services offers consulting and training related to cybersecurity and HIPAA.
*All names have been changed
** Cybersecurity coverage is subject to terms, conditions and exclusions not described in this article. The information contained in this article concerning cybersecurity insurance is intended to give you an overview of the coverage available. None of the information—including any policy or product description—constitutes an insurance policy or guarantees coverage. The policy contains the specific details of the coverages, terms, conditions and exclusions and coverage determination is made by the company at the time of a claim.
The contents of The Sentinel are intended for educational/informational purposes only and do not constitute legal advice. Policyholders are urged to consult with their personal attorney for legal advice, as specific legal requirements may vary from state to state and/or change over time.