By Matt Fisher, General Counsel, Carium
Twitter: @matt_r_fisher
Twitter: @cariumcares
Host of Healthcare de Jure – #HCdeJure
Any data breach is a major disruption to the operations of a healthcare company. The disruption runs from having to re-secure systems, assess validity of data, and provide public notification of the breach, among other actions. It all takes a lot of time and effort from all areas of the business. The fallout from the response can also lead to closure of the business though, which is a pretty extreme outcome.
Physician Practice Closures
It has been a couple of years, but a physician practice in Michigan drew significant headlines when it announced a closure after a data breach. In that instance, the practice could not recover any of its files, which left patients stuck with no documentation of the services they had received through the practice. It was a particularly egregious example of what can happen after a data breach, but also a stark lesson of just how deep the impact can run.
The Michigan practice is not the only example of a practice closing though. About six months after the Michigan practice announced it would close, the same thing happened to a practice in California. Again, records were encrypted following a ransomware attack and recovery presumably could not occur. The issue goes back to not being prepared.
The previous examples both came from the clinical realm. What about a breach in a digital health company or other company that is more in the business associate realm?
Turning to Bankruptcy
In 2019, a debt collection service filed for bankruptcy protection following a months-long data breach. In that instance, the company did not necessarily suffer an inability to operate as it could continue fulfilling its collection service obligations. However, in its petition for bankruptcy protection, the company revealed that the costs of responding to the breach were beyond what it could afford and that it would need to liquidate. Specifically, the cost of sending mailings to all of the impacted individuals and other related elements added up very quickly from a financial perspective and there was not enough money available.
While the debt collection company was ultimately able to resolve the issues would fully going out of business, it suffered extreme disruptions to operations and fundamentally changed how it did business.
Latest Example
The latest example of a business closure following a data breach is Salusive Health, which seems to be operating as myNurse. The breach is not really out of the ordinary as the notification states that a breach of its system was discovered that could potentially result in a whole host of patient information having been accessed. At the same time that the breach notification was issued, the company announced that it was ceasing operations. Despite the company asserting that the closure was unrelated to the data breach, the concurrent announcements make it very hard to believe there is not a close connection.
Since myNurse seemed to provide services to help the delivery of services, it was most likely a business associate and likely held patient information for a variety of customers. That could mean a very broad impact and a very costly response. Considering those factors, it could easily be seen that addressing the breach would override the finances of the company.
What About Cyber Insurance?
A basic part of doing business in healthcare is (or should be) maintaining a cyber insurance policy. While policy terms are still variable, most policies will help defray the costs of responding to a breach. The difficulty, especially for business associates working with many customers, is that policy limits could easily be reached. While each letter may only cost less than a dollar to mail (though the exact cost keeps shifting), that is not the only piece of the issue. There is also the cost of preparing the mailing, conducting the investigation, potentially reimbursing or indemnifying each impacted customer, and operational changes. All of those costs add up and can go past what protection coverage will apply, which then makes a company seriously consider its financial viability.
Further, there is no guarantee that insurance will even cover the incident. When a claim is submitted, it should be expected that the insurance company will carefully vet the terms of the policy along with representations made when the policy was issued. If a security questionnaire was not accurately filled out or security postures were misrepresented, then coverage could be denied. In either of those instances, the impacted company will be fully on the hook for the response, which again goes to financial viability.
What To Do?
While it is not realistic to expect that every attack can be stopped (another way of saying that a breach will occur at some point in time), companies can take steps to make it harder for a breach to occur and be prepared to respond quickly when it does occur. That means making strong security a basic part of operational culture along with implementing and testing business continuity and disaster recovery plans. The best approach is to understand the constant risk of attack or compromise and understand how to respond when a bad event does occur. That means people will not be scrambling around or panicking. Instead, muscle memory will kick in, which will hopefully minimize the impact.
Another preparatory step is reviewing relevant terms of contracts before signing. Each party to an agreement will seek the most advantage, but balance is possible. The terms should be reasonable (at least ideally) and consider the interests of both parties. It is not fair to overly balance in one direction. Additionally, going too far in one direction could also create unrealistic expectations that cannot be fulfilled. Good discussions should avoid those problems.
Ultimately, closing a business because of a data breach does not help anyone. Think about possible outcomes, prepare ahead of time, and continually monitor the threat landscape.
This article was originally published on The Pulse blog and is republished here with permission.