Records Go Missing After EMR Outage
By Susan Decareaux, CPCU, RPLU, CISR
The following article is based upon an actual claim situation experienced by an SVMIC policyholder. The details have been altered to protect our policyholder’s privacy.
It was day that began like any other for Dr. Sandra Lynn, an internal medicine doctor and the head of a multi-specialty clinic made up of 15 physicians. She began with 30 minutes on the treadmill, followed by a quick shower and a smoothie for breakfast on the way to the office. Soon, the day would take a dramatic turn.
As she drove to the office, her phone rang and she answered it using the Bluetooth feature in her car. It was her practice administrator, Martha. Dr. Lynn knew that Martha would not call so early in the morning unless something was wrong so she answered the phone by asking, “Are you okay?” Martha assured her that no one was sick or injured, but that their EMR system was offline. Martha had tried to reach the EMR vendor, but was unable to get through at the time of her call to Dr. Lynn.
Dr. Lynn’s office had protocols in place for power outages and other types of emergencies. One preemptive practice was the daily printing of the appointment calendar with patients’ names, phone numbers and reasons for their visits. Martha used this list to contact the non-acute patients to reschedule their appointments.
Martha continued working with the EMR vendor to get the system up and running while the doctors treated their remaining patients. These patients were asked to complete a medical history upon arrival, including medication list, and the doctors and staff took copious notes that were later scanned and entered into the EMR once it was available. Yet, not having access to the patients’ treatment notes and health histories was worrisome from a treatment standpoint.
Finally, the EMR system came back online, and the doctors were relieved - until Dr. Lynn opened the records for her next patient, whom she had been treating for a wound infection for three weeks. All of the treatment records for the last month were gone. She looked up the record for the following patient, who had been in two weeks prior for a UTI, and those treatment notes were gone as well.
Relief turned into panic as Martha conducted a search of the EMR records for the month in question, and all of the treatment data was gone for patient visits during that time period. To make matters worse, the EMR vendor was not at all helpful. They indicated that the records were lost and irrecoverable.
Martha had recently attended a luncheon with a speaker who talked about cybersecurity insurance, which prompted a conversation with SVMIC regarding the cybersecurity coverage that is included with the doctors’ professional liability policies. The practice had subsequently purchased the increased limits cybersecurity insurance policy through SVMIC’s partnership with NAS Insurance.
Both the embedded and the increased limits coverage included Network Asset Protection* which was described as “coverage for amounts incurred to recover and/or replace electronic data that is compromised, damaged, lost, erased or corrupted due to (1) accidental damage or destruction of electronic media or computer hardware, (2) administrative or operational mistakes in the handling of electronic data, or (3) computer crime/attacks including malicious code and denial of service attacks. Coverage also extends to business income loss and interruption expenses incurred as a result of a total or partial interruption of the Insured’s computer system directly caused by any of the above events.”
Martha contacted SVMIC’s claims department who then notified NAS. A forensic expert helped recreate the records from the practice’s own backup system. When they were finished, the only records not in the EMR system were the patient visits from the morning when the system was down.
In addition to the cybersecurity coverage through NAS provided in SVMIC’s medical professional liability policy, other tools are available to our policyholders. Through SVMIC’s partnership with NAS, our policyholders have access to NAS cyberNET. This site features monthly cybersecurity updates, webinars and online training and support. Access this site here. In addition, SVMIC’s Medical Practice Services Department offers consulting and training related to cybersecurity and HIPAA.
* Cybersecurity coverage is subject to terms, conditions and exclusions not described in this article. The information contained in this article concerning cybersecurity insurance is intended to give you an overview of the coverage available. None of the information—including any policy or product description—constitutes an insurance policy or guarantees coverage. The policy contains the specific details of the coverages, terms, conditions and exclusions and coverage determination is made by the company at the time of a claim.
The contents of The Sentinel are intended for educational/informational purposes only and do not constitute legal advice. Policyholders are urged to consult with their personal attorney for legal advice, as specific legal requirements may vary from state to state and/or change over time.