Today’s Flavors of Cyber Crime Liability

First, we want to recognize the behavioral health and social work professions as genuinely noble, founded on service, integrity, and clinical expertise. The profession can often be stressful and very dangerous. The nation is grateful for what you do—AND SO ARE WE! Thank you!

What do we mean by the “flavors” of cyber-crime liability?  We often see news reports about exposing people’s credit card information and retail credit card information breaches, leading to multimillion-dollar thefts.  We also hear about the extortion of medical practices through invasive systems tactics and extortions involving millions of dollars.  The financial flavor is what we hear about the most but is not the most frequent.  In other words, cybercriminals follow big money by invading credit card and bank accounts or indirectly by controlling your records database and extorting you.

There is another cyber liability “flavor” that is the most frequent and often impacts social workers, behavior health practitioners, and small practices regularly.  Specifically, we are talking about client information breaches, which can be a first-party breach when you breach the records, or your third party, like a mover of your paper files or a digital warehouse network provider who breached your client information.

Let’s take a look at the current cybercrime environment.  The following is information published in the Insurance Journal (Nehemiah Balaoro, May 20, 2024, p.- 21 – 22).  The U.S. claims the frequency of cybercrime is rising.  In 2023, more than 880,000 cyber-crime complaints were reported to the FBI, involving over $12.5 billion in losses.  Ransomware claims (extortion) accounted for a lot of the spike, boosting the average loss per claim to $100,000, and the victim paid 52% of the claims out of pocket.

Businesses with annual revenue between $24 million and $100 million suffered a 32% increase; businesses with yearly revenue over $100 million suffered a 14% increase, and businesses with less than $25 million in annual revenue suffered an 8% increase.   The data indicates that large and sophisticated companies have the most robust safeguards because they have the most to lose.

The next highest business category sufferers because they have significant financial assets at loss risk but weaker cyber protection.  The smaller businesses suffered the least in growth in cyber losses because they are simply small targets for crime.  However, small practices are at risk for client information breaches by their third-party vendors and themselves.  Ransomware accounted for 19% of reported claims, making it the largest source of claims severity.  Often, the victims are lucrative medical practices.

Notably, regarding social worker and behavioral health practices, third-party data breaches increased by 21% in 2023, and claims severity increased by 28% to an average loss of $53,000, which is why you need a Preferra cyber liability policy.

The Preferra cyber liability policy protects you from the defined perils listed under the Federal HIPAA High Tech law 45 CFR Part 160, which Congress enacted in 2013. Only Preferra explicitly lists these special perils as coverage in its cyber liability policy.

Here are the perils and Preferra cyber liability coverage that protects you with comprehensive coverage at a lower cost than any other insurance carrier:

  • Pay the legal defense costs for your defense by your client and legal defense costs for civil actions brought by federal and state authorities.
  • Pay the costs to notify the U.S. Postal Service of every client in your practice.
  • Pay the cost of a one-year subscription for identity theft protection for the client(s) who were victims of the records breach.
  • Pay the cost of a one-year subscription for identity theft protection for the client(s) who were victims of the records breach.
  • Pay the cost of damages that you are obligated to pay under a court judgment or settlement.
  • Pay the cost of civil fines and penalties.
  • Pay the costs of an auditor to investigate the breach, including forensic investigation of systems security.
  • Pay the costs of data restoration.
  • Pay the costs arising from advertising injury in connection with the breach.

So, what preventative measures do I take to secure my records proactively?  Businesses that use a boundary device to protect their network by updating firmware and monitoring all endpoints are best able to react to a compromise.

However, research your vendors thoroughly.  The Insurance Journal report stated that the Cisco Adaptive Security Appliance (ASA) devices that enable remote access and protect networks with a firewall with VPN capabilities suffered a surge in breaches in 2023 of 250% and are five times more likely to experience a cyber claim. Investigators discovered that Cisco ASA devices had several critical vulnerabilities.

The cyber liability threat that we at Preferra see the most is client records breaches. Preferra’s professional liability policy covers first-party records breaches, including the social worker mistakenly faxing a client record to the wrong telephone number or a burglar opening a file cabinet containing client records even though nothing was disturbed.

So, what is happening in the future regarding data privacy?  Indeed, we see an increasing intermingling of people and markets.  The more connectivity, the more breaches will occur.  State legislatures recognize the need for enhanced data privacy and have introduced over 50 bills 2023 dealing with data privacy.  (Insurance Journal, May 20, 2024, p. -46).  Included in “privacy” are biometric data, pixel tracking, and chatbots.  Chatbots are increasingly a concern.  Over 100 lawsuits have been filed since mid-2022, alleging privacy violations in conjunction with users’ interaction with website chatbots.

Chatbots are a result of AI (artificial intelligence) tools.  Designed to mimic human conversation through text or voice interactions, Chatbots are used in many industries for customer service and customer support, with virtual assistants for call routing and coaching.  They use predictive responses rather than knowing the actual meaning of their responses.  That is a real danger in the behavioral health profession.  The feedback can often be inaccurate or fabricated content (hallucinations).  So, misinformation spreads widely and inexpensively.

If used with therapy, practitioners will be at risk in many ways and subject to malpractice lawsuits, licensing board investigations, information disclosure, and breach liability. A warning: If you use GenAI models and applications in your practice, use extreme caution regarding the consequences.  Moreover, we have heard courtrooms decide against documentation evidence provided by the practitioner as a defendant in a lawsuit where the therapy notes were identical because the practitioner relied on the WORD system or other word-processing applications to expedite note-taking even though the documentation used repeatedly the exact words and phrases.

In closing, balance your therapy notes using your own words.  Spell check is different than a system that automatically inserts repetitive phrases and words that will hurt you in your defense in court.

Buy a Preferra cyber liability policy to protect you against third-party breaches of your records, and buy a Preferra professional liability policy to protect you against breaches caused by you.  For a small practice, we recommend the Preferra cyber liability coverage of $12,000 per occurrence coverage – the least expensive in the market, and it has the most comprehensive coverage under the HIPAA High Tech law.  Finally, operationally speaking, exploring well-supported security providers to protect your client records and other sensitive information makes sense.