Cyber Claim Examples

Scenario 1:  Damaged Computer Server

A damaged server containing personal information of employees and patients prevented a physician from effectively operating his practice. Under the NAS cyber policy's Network Asset Protection agreement, the physician was able to receive reimbursement for IT-related expenses to rebuild and restore the server, as well as personnel time to recreate the electronic records.

Claims paid: $45,000
Source: NAS Claims Dept., 2013

Scenario 2:  Online posting of unauthorized photos

A physician posted unauthorized photos of several patients on her website that were identifiable by name. There have been 15 invasion of privacy actions against the physician to-date, with several settling in the range of $150K per plaintiff.

Additional legal expenses incurred: $50,000
Source: NAS Claims Dept., 2013

Scenario 3: Employee stole patient identities and credit card information

An employee of a doctor stole the identities of multiple patients and made credit card purchases with the stolen information. The doctor became aware of the breach when the employee was arrested. Local and federal law enforcement later advised the doctor that the identities of 5 patients, and approximately $10,000, had been stolen by this employee. Two of the patients filed a lawsuit against the doctor in connection with the identity theft. The patients alleged that the doctor failed to prevent the unauthorized access of their credit card information. The patients sought compensatory damages and emotional distress damages.

Defense Costs: $25,000
Settlement: $20,000
Source: NAS Claims Dept., 2013

Scenario 4:  Stolen physician's laptop

A physician suffered a burglary at his residence and his work laptop was stolen. The laptop had his entire 15 doctor medical group's patient database on it comprising 57,000 records. Unfortunately, the laptop was not encrypted. Legal counsel was appointed to determine notification requirements and manage the response process. Counsel worked with the Insured's IT department to determine that there were 37,000 unique identities on the laptop. The medical group was also required to publish a notice of the breach on their website and in the local media. Additionally, the group was required to notify the Office of Civil Rights of the breach, which led to a Department of Health and Human Services investigation. The Office of Civil Rights required a complete submission from the medical group outlining how they were in compliance with the various provisions of HIPAA. Counsel worked with the medical group to show proof of strong privacy controls and training procedures resulting in the DHHS closing its investigation.

Total expenses: $44,000
Source: NAS Claims Dept, 2013