Skip to main content
Article

Client alert: Patient injury resulting from cyber incidents

Some practical coverage considerations

Financial, Executive and Professional Risks (FINEX)
N/A

By Robert Barberi | October 6, 2020

With recent examples of cyberattacks that caused or could have caused patient injury, evaluating cyber coverage avenues and limitations is critical.

Healthcare providers have been in the cross hairs of cyber bad actors for quite some time. In the past, hospitals of all types and sizes have suffered material data breaches of Protected Health Information (PHI), network disruptions and losses arising from the payment of ransomware demands.

Just recently, Universal Health Services, a chain of hospitals operating in the U.S. and Britain, had their computer networks knocked offline by a ransomware cyberattack which forced ambulances to be redirected and certain surgeries to be sent to other hospitals. Although there have been no reported patient deaths or injuries as a result of this incident, the disruption to patient care appeared significant given that 400 hospitals and 90,000 employees were affected.

Similarly, there were no reported patient injuries or deaths resulting from the 2017 WannaCry cyberattack which caused a significant disruption to numerous U.K. based healthcare facilities.

However, just last month, it was reported that a hospital based in Düsseldorf, Germany was subject to a ransomware attack which resulted in a patient death, the first such reported due to a cyber-attack. The incident affected 30 servers, which crashed systems and forced the hospitals to turn away emergency patients. As a result, a woman with a life-threatening condition was diverted to another hospital 20 minutes away and died from treatment delays.1

With clear examples of cyber incidents that either have, or certainly could have caused, patient injury, examining potential coverage avenues and limitations under cyber, healthcare professional liability and general liability policies, is of critical importance.

  1. 01

    Analyzing the cyber coverage response

    A cyber policy may cover the following:

    • The costs incurred by an insured to respond to the ransomware attack. These costs may include expenses to notify affected individuals, complete a forensic investigation, hire a public relations firm to mitigate damage to the organization’s reputation, hire a law firm to provide advice on how to comply with pertinent data security laws and restoring or recreating data.
    • The costs of the insured’s legal defense and any settlements reached on the insured’s behalf following litigation arising out of third-party privacy or network security claims due to the attack.
    • The actual ransomware extortion payment to the bad actor in exchange for the decryption key to restore data and systems, as well as costs for the use of outside specialists to manage the ransomware incident, subject to the insurer’s consent.
    • The loss of net income, continuing operating expenses and the forensic accounting costs to identify business interruption losses arising from a cyber attack.
    • Loss of net income caused by damage to the company’s reputation following a cyber attack.
    • Regulatory fines and penalties arising from the failure to protect sensitive Protect Health Information (PHI), depending on insurability in the applicable jurisdiction.

    While bodily injury coverage under the cyber policy is customarily limited to mental anguish and emotional distress, some cyber policies may include “contingent bodily injury coverage”, which can extend coverage for physical injury, sickness, disease and death. However, this coverage often only responds if the bodily injury arises directly from the cyber incident. In words, the death that occurred indirectly due to the ransomware incident at the German hospital may not be covered under contingent bodily injury coverage, or similar coverage extension on a cyber policy. Further, contingent bodily injury coverage may require that the bodily injury claim is not covered under any other policy of insurance and typically does not respond if the insured’s own act error or omission is the immediate cause of the loss. Ultimately, many cyber insurers are still wary about being drawn into medical malpractice claims that are caused by a cyber incident.

    Finally, the following customary cyber exclusions could impact coverage for ransomware attacks:

    • War exclusion – particularly if a nation state engages in a cyberattack along with another associated military activity or acts associated with interstate conflict.
    • Intentional acts committed by management (e.g., an unlikely scenario where a member of senior management commits the ransomware attack).
    • Failure to obtain insurer consent prior to incurring costs or settling security or privacy litigation.
  2. 02

    Analyzing the healthcare professional liability and general liability policy response

    In general, losses arising from privacy and network security liability, the costs associated with a ransomware demand, non-physical business interruption and privacy regulatory fines and penalties are outside the scope of the coverage available under either a healthcare professional liability or general liability policy, typically written together within one policy form. However, there may be coverage for patient injury and medical malpractice claims which arise from a cyber incident under a healthcare professional liability policy. Answers to the following key coverage questions may dictate the coverage response under such a policy:

    • Is there an electronic data transmission or data related exclusion? These exclusions are becoming increasingly common (even standard) on healthcare accounts. They typically carve out the cyber liability coverage (both third-party and first party elements) and apply both to the patient injury and general liability portions of a healthcare professional liability policy. As such, they need to be reviewed carefully.
    • If there is a data liability (or similar) exclusion, are there exceptions for bodily injury? Some, but not all, cyber exclusions in healthcare professional liability policies specifically carve back coverage for electronic/data liability that results in bodily injury. This is largely driven by the recognition that the duty of care that a provider owes to their patients encompasses not just the bedside care, but also the operations and infrastructure that supports that care (e.g., the ability to timely access their systems, obtain accurate data, etc.).
    • How broad is the war & terrorism exclusion on the healthcare liability policy? Certain cyberattacks, particularly those committed or supported by a nation state, could be excluded from coverage here. Regardless of whether or not a cyberattack is committed or supported by a nation state, some terrorism definitions are often broad and can include “disruption to electronic systems.”

    When it comes to bodily injury and death not related to a patient, many general liability, excess and umbrella policies have incorporated cyber and electronic data exclusions over the past few years. With a health care risk profile, it is important to secure an exception to the general liability policy exclusion for bodily injury and property damage resulting from a cyber breach. This kind of exception, which not all markets will offer, can be easier to secure when an insurer sees that the insured has appropriately insured its cyber liability elsewhere.

  3. 03

    Recommendations

    Considering the above analysis, the below represents some generally recommended next steps for healthcare providers who are concerned about exposure to bodily injury arising from a cyber incident:

    • Conduct cyber coverage analysis of any healthcare professional liability and general liability policies which are in play.
    • Address problematic exclusions or cyber coverage limitations within healthcare professional liability and general liability policies.
    • Because contingent bodily injury coverage may not be a comprehensive solution for patient bodily injury arising from a cyber incident, it is important to either seek a more affirmative coverage grant for patient injury, or consider a difference in conditions/difference in limits coverage which would respond in the event that a healthcare professional liability policy either excludes coverage or erodes its program limit.

Footnote

1 https://www.dailymail.co.uk/news/article-8782037/Universal-Health-Services-offline-IT-security-issue.html

Disclaimer

Willis Towers Watson hopes you found the general information provided in this publication informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, Willis Towers Watson offers insurance products through licensed subsidiaries of Willis North America Inc., including Willis Towers Watson Northeast, Inc. (in the United States) and Willis of Canada, Inc.

Author

Director, FINEX Cybersecurity and Professional Risk

Contact Us