Duration: 13 months and still pending
Nature of Risk: Orthopedic Surgeons
State: Arizona

The Insured received notice of the Department of Health and Human Services, Office for Civil Rights complaint alleging that the Insured was not in compliance with the Federal Standards for Privacy of Individually Identifiable Health Information. It appears that the OCR complaint originated from a privacy breach reported by the Insured to the OCR in compliance with HIPAA.

The underlying privacy breach involved the theft of medical records for 12,000 patients from a storage shed. While the records were recovered by the police within 48 hours, the Insured was required to notify the affected patients. Furthermore, given the number of affected patients, the Insured was required to issue a press release and to report the matter to the OCR within 60 days. The OCR investigation is pending.

To date, the Insured has incurred approximately $97,000 in legal expenses, PR expenses and notification costs as a result of the underlying privacy breach. We anticipate that the Insured will incur an additional $25,000 in legal fees as a result of the OCR investigation.

Qui Tam – Whistleblower
Duration: 20 months
Nature of Risk: Senior Psychological Care
State: Texas

The Insured received notice of a U.S. Non-Intervention Order that was filed as part of a sealed qui tam complaint filed in 2010 alleging multiple violations of the Federal False Claims Act relative to Medicare Claims. More specifically, the complaint alleged, among other things, that in addition for charging for the services rendered by clinical psychologists, the Insured also charged for services provided by nurses, technicians and other therapist even when such services were not “incident to” the clinical psychologist’s professional services. This upcoding resulted in the Insured being reimbursed at a higher rate. The complaint sought damages of no less than $5,500 and no more than $11,000 for each violation of the False Claims Act.

The matter is still pending. Projected legal/expert expenses: $320,000.

Coverage for defense costs and fines and penalties arising out of governmental agency actions/investigations of HIPAA (Patient Privacy), EMTALA (Emergency Medical Treatment and Active Labor Act) and STARK (Physician Self-Referral) violations

Coverage for defense costs and fines/penalties resulting from government investigations of privacy law violations, including, but not limited to, violations of HIPAA, Red Flag Rules, and the Hi-Tech Act

Coverage for third party claims resulting from the dissemination of online or offline media, including claims alleging copyright/trademark infringement, libel/slander, advertising, plagiarism, and personal injury

Coverage for all reasonable and necessary sums required to recover and/or replace data that is compromised, damaged, lost, erased or corrupted due to a covered cause of loss. Coverage for income loss and business interruption expenses directly resulting from a total or partial interruption, degradation in service or failure of the insured’s computer system due to a covered cause of loss. “Covered cause of loss” includes accidental damage or destruction, administrative or operational mistakes, and computer crime and attacks.

Coverage includes all reasonable legal, public relations, advertising, IT forensic, call center, credit monitoring and postage expenses incurred by the insured in response to a privacy breach. Also includes Proactive Privacy Breach Response Costs which covers the amounts incurred to retain a PR expert before the publication of an adverse media report of a security or privacy breach in order to avoid or mitigate the potential reputational harm resulting from the bad press, and Voluntary Notification Expenses which provides coverage for the costs to notify individuals of a privacy breach where there is no legal requirement to do so.

Covers extortion expenses incurred, and extortion monies paid, as a direct result of a credible cyber extortion threat

Coverage for income loss and business interruption expenses directly resulting from a total or partial interruption, degradation in service or failure of the insured’s computer system due to an act of terrorism

Provides coverage for the fines and penalties levied by the Payment Card Industry Data Security Standards council (VISA, Mastercard, AmEx, Discover, and JCB) against merchants who are not PCI DSS compliant

Coverage for lost revenue directly resulting from an adverse media report and/or notification to customers of a security or privacy breach

To request an application for higher limits, please contact Carly Thames, Account Executive, at 225.906.2062 or cthames@lammico.com, or your Elatas Risk Partners representative. 

Preexisting policyholders simply need to fill out a Warranty Statement to apply for higher limits. Elatas Risk Partners also offers insurance policies to protect against the threat of cyber liability to providers who are not insured by LAMMICO.