Most of you are probably aware of the Hollywood Presbyterian Medical Center data breach. On February 5, 2016, hackers froze the hospital out of its electronic patient records. Reports have indicated that the hospital had no access to those records until it paid a $17,000 ransom almost two weeks later. Over the past month, there have been at least 14 similar attacks reported by hospitals in California, Kentucky, D.C. and Maryland. The critical nature of data security for heavily regulated healthcare institutions is nothing new, but the threat that hackers will encrypt health records for ransom – sort of the opposite of the more traditional threat of improper disclosure – is a relatively new risk. It is one, however, that a cyberinsurance can cover.
“Can.” Not necessarily “does.”
Policies have drawn a distinction between cyber extortion and other types of network security breaches. At the most general level, there seems to be little difference. It all starts with unauthorized access. A “ransomware” attack, one form of cyber extortion, is different only with respect to what the hacker does after gaining network access – the hacker encrypts the data and demands payment to “unlock” the records. Up until that payment demand, the event would likely fit within almost any cyberinsurance policy’s definition of a network security claim, or whatever term the policy uses to describe first party coverage for data breach response and remediation.