Aon Risk Solutions | Global Sales & Marketing SupportProprietary & Confidential

Cyber Risk for Healthcare Industry

Date: 22nd Dec 2015

Aon Risk Solutions | Global Sales & Marketing Support

Proprietary & Confidential2

Table of contents

Cyber risk in healthcare industry

Data breach statistics

Claims by business sectors

Major penalties & fines

HIPAA violations & fines

Cyber risk for M & A deals

Cyber risk and D & O

Cyber liability: purchase & retention

Cyber liability: adequacy & effectiveness

Cyber liability: limits

3

4 - 5

6 - 8

9

10 - 11

12

13

14

15

16

Aon Risk Solutions | Global Sales & Marketing Support

Proprietary & Confidential3

Healthcare industry seems to be highly prone to cyber risk

Healthcare industry primarily comprises of hospitals, clinics, university aided hospitals, Government aided hospitals, 3rd

party service providers, healthcare homes etc.

According to ‘Breach Level Index’ database, healthcare industry accounted for about 34% of data breaches reported around the world across multiple industries during the year 2015.

Ponemon Institute, a security research & consulting firm conducted a study and found that around 90% of healthcare providers in the US had data breaches in years: 2013 & 14 and half of these attacks were of suspicious nature.

Average data breach would cost a hospital in the US a whooping $ 2.1 million according to a research conducted by ‘Ponemon Institute’.

According to a study by ‘Accenture’ the failure of making cyber risk a strategic priority may cost healthcare providers about $ 305 billion worth lifetime revenue over the next 5 years.

Healthcare34%

Government22%

Technology16%

Others15%

Retail8%

Education5%

Top global data breaches reported by industry, 2015

According to ‘U.S. Department of Health and Human Services Office for Civil Rights’, almost 1.6 million people in the US had

their medical information stolen/compromised from healthcare providers during the year 2014

Aon Risk Solutions | Global Sales & Marketing Support

Proprietary & Confidential4

Healthcare providers in USA & Canada have witnessed massive data breaches in 2015

Major healthcare data breaches in the world during the year 2015

Month/Year Company/Organization affected Country # of Records Breached Type of Breach Source of Breach

Jan-15Anthem Insurance Companies (Anthem Blue

Cross)USA 78,800,000 Identity Theft State Sponsored

Jul-15 Korea Pharmaceutical Information Center Korea 43,000,000 Identity Theft Malicious Insider

Jul-15 UCLA Health System USA 4,500,000 Identity Theft Malicious Outsider

May-15 Medical Informatics Engineering & others USA 3,900,000 Identity Theft Malicious Outsider

Mar-15 Virginia Dept. of Medical Assistance USA 697, 586 Identity Theft Malicious Outsider

Major healthcare data breaches in USA during the year 2015

Month/Year Company/Organization affected Country # of Records Breached Type of Breach Source of Breach

Jan-15Anthem Insurance Companies (Anthem Blue

Cross)USA 78,800,000 Identity Theft State Sponsored

Jul-15 UCLA Health System USA 4,500,000 Identity Theft Malicious Outsider

May-15 Medical Informatics Engineering & others USA 3,900,000 Identity Theft Malicious Outsider

Mar-15 Virginia Dept. of Medical Assistance USA 697, 586 Identity Theft Malicious Outsider

Mar-15 Career Education Corp USA 151,626 Identity Theft Malicious Outsider

Major healthcare data breaches in Canada during the year 2015

Month/Year Company/Organization affected Country # of Records Breached Type of Breach Source of Breach

Oct-15 Rouge Valley Hospital Canada 12,595 Identity Theft Malicious Insider

Jun-15 Eastern Health Canada 9,000 Identity Theft Accidental Loss

Jul-15 Saskatchewan Cancer Agency Canada 900 Identity Theft Malicious Insider

Feb-15 Ontario Welfare & Disability Recipients Canada 720 Identity Theft Accidental Loss

Jun-15 Horizon Health Canada 158 Identity Theft Malicious Insider

Aon Risk Solutions | Global Sales & Marketing Support

Proprietary & Confidential5

Healthcare providers in UK & Australia have witnessed multiple data breaches in 2015

Major healthcare data breaches in United Kingdom during the year 2015

Month/Year Company/Organization affected Country # of Records Breached Type of Breach Source of Breach

Oct-15 Pharmacy2U UK 100,000 Nuisance Malicious Insider

Oct-15 MS Society UK 25,000 Nuisance Malicious Outsider

Jul-15 Aberdeen Royal Infirmary UK 8,100 Identity Theft Accidental Loss

May-15 East Sussex NHS Trust/Conquest Hospital UK 3,634 Identity Theft Accidental Loss

Jan-15 The 56 Dean Street Clinic UK 780 Identity Theft Accidental Loss

Major healthcare data breaches in Australia during the year 2015

Month/Year Company/Organization affected Country # of Records Breached Type of Breach Source of Breach

Jul-15 Medvet Laboratories Australia 800 Identity Theft Accidental Loss

Mar-15 Holyoake Australia 27 Identity Theft Malicious Outsider

Mar-15 Lyell McEwin Hospital Australia 3 Identity Theft Accidental Loss

Jan-15 Harrington Park Medical Center & others Australia NA Identity Theft Malicious Outsider

Aon Risk Solutions | Global Sales & Marketing Support

Proprietary & Confidential6

Respondents from the healthcare industry witnessed highest number of claims

NetDeligence conducts study of cyber liability claims every year to ascertain the impact of cyber liability by industry, company size etc.

Healthcare industry witnessed the highest number of claims vis - a -vis other industries and accounted for 21% of total in the year 2015. Financial services accounted for 17% of the total number of claims for the year 2015.

Healthcare industry witnessed the highest number of claims vis - a -vis other industries and accounted for 23% of total in the year 2014. Financial services accounted for 22% of the total number of claims for the year 2014

Healthcare21%

Financial Services

17%

Retail13%

Technology9%

Professional Services

8%

Non - Profit4%

Others Industries

28%

NetDiligence study - percentage claims by business sectors, 2015

Healthcare23%Financial

Services22%

Professional Services

10%

Retail10%

Non-Profit9%

Others Industries

26%

NetDiligence study - percentage claims by

business sectors, 2014

Aon Risk Solutions | Global Sales & Marketing Support

Proprietary & Confidential7

Insiders caused about 1/3rd of claims and healthcare was the most affected industry

According to the study by NetDiligence, about 30% of the total respondents (total sample size: 160) attributed claim events to insiders i.e. employees of companies/organizations.

More than 67% of the total claims attributable to insiders were unintentional. The rest 33% of the claims were caused by employees who purposefully caused claim events.

Healthcare industry witnessed the highest number of claims caused by unintentional insiders followed by financial services and technology industries.

Healthcare & financial services industries witnessed the highest number of claims caused by malicious insiders

Healthcare38%

Financial Services

18%

Technology15%

Others Industries

29%

NetDiligence study - unintentional involvement of insiders in claims by business sectors, 2015

Healthcare29%

Financial Services

29%

Hospitality12%

Professional Services

12%

Restaurant12%

Others Industries

6%

NetDiligence study - malicious insider involvement in claims by business sectors, 2015

Aon Risk Solutions | Global Sales & Marketing Support

Proprietary & Confidential8

Healthcare and financial services industries reported maximum data breaches from third – party vendors

According to the study by NetDiligence, about 25% of the total respondents (total sample size: 160) attributed claim events to 3rd parties for the year 2015.

Financial services industry was the most affected sector (which accounted for 30% of total claim incidents) and healthcare industry accounted for 13% of total claim incidents for the year 2015.

According to the study by NetDiligence, about 20% of the total respondents (total sample size: 111) attributed claim events to 3rd parties for the year 2014.

Financial services industry was the most affected sector (which accounted for 32% of total claim incidents) and healthcare industry accounted for 18% of total claim incidents for the year 2014

Financial Services

30%

Retail18%

Technology18%

Healthcare13%

Energy10%

Others Industries

11%

NetDiligence study - third party breaches induced claims by business sectors, 2015

Financial Services

32%

Healthcare18% Professional

Services14%

Education9%

Technology9%

Other Industries

18%

NetDiligence study - third party breaches induced claims by business sectors, 2014

Aon Risk Solutions | Global Sales & Marketing Support

Proprietary & Confidential9

Many healthcare companies in the US have paid massive fines & penalties for violations of cyber security regulations & guidelines

Recent Major Regulation Breaches & Fines in North America

Entity Fined Fine Violation

CIGNET $4,300,000 Online database application error.

Triple-S Management Corporation $3,500,000 Unsecured protected health information (PHI)

New York and Presbyterian Hospital$3,300,000

Failing to secure thousands of patients’ electronic protected health information

(ePHI) held on their network

Alaska Department of Health and Human Services$1,700,000

Unencrypted USB hard drive stolen, poor policies and risk analysis.

WellPoint

$1,700,000 Failure to install technical safeguards in place to verify the person/entity seeking

access to PHI in the database. Failed to conduct a tech eval in response to software

upgrade.

Columbia University$1,500,000

Failing to secure thousands of patients’ electronic protected health information

(ePHI) held on their network

Blue Cross Blue Shield of Tennessee $1,500,000 57 unencrypted hard drives stolen.

Massachusetts Eye and Ear Infirmary and

Massachusetts Eye and Ear Associates$1,500,000

Unencrypted laptop stolen, poor risk analysis, policies.

Affinity Health Plan $1,215,780 Returned photocopiers without erasing the hard drives.

Parkview Health System, Inc. $800,000 Medical records dumping case

Cancer Care Group, P.C. $750,000

Breach of unsecured electronic protected health information (ePHI) after a laptop

bag was stolen from an employee’s car

South Shore Hospital $750,000 Backup tapes went missing on the way to contractor.

Idaho State University $400,000 Breach of unsecured ePHI.

Shasta Regional Medical Center$275,000

Inadequate safeguarding of PHI from impermissible uses and disclosures.

Phoenix Cardiac Surgery $100,000 Internet calendar, poor policies, training.

The Hospice of Northern Idaho$50,000

Breach of unsecured ePHI. Unencrypted laptop stolen, no risk analysis.

Aon Risk Solutions | Global Sales & Marketing Support

Proprietary & Confidential10

HIPAA obligates healthcare providers to comply with the guidelines prescribed

Health Insurance Portability and Accountability Act (HIPAA) obligates all healthcare providers to ensure that all mandated physical, network and process security procedures are being observed.

Examples of HIPAA violations include:

1. Violations of unwilling negligence including:

Improper patient verification.

Failure to dispose of patient records securely.

Failure to discuss patient information in a private setting.

Unintentionally faxing or emailing patient data to an incorrect destination.

Inadequately storing and securing patient records.

Accessing patient records outside of the approved network.

Unintentionally exposing sensitive data to individuals not privy to the information.

2. Violations of willing negligence including:

Accessing patient records without proper authorization.

Improper use of passwords and user names.

Revealing patient information to unauthorized persons.

Using unauthorized computers or other equipment within the network.

Willingly leave sensitive patient information unsecured.

Using patient records for personal benefit.

Selling medical information.

Purposefully altering or damaging data stored in medical records

Aon Risk Solutions | Global Sales & Marketing Support

Proprietary & Confidential11

Healthcare providers would be forced to pay large sums as penalties & fines on violation of HIPAA regulation

Healthcare companies/organizations violating HIPAA regulations/guidelines will be subject to penalties & fines as given below:

1. Penalties assessed to healthcare organizations unaware that they violated HIPAA requirement:

$100 to $50,000 per violation.

$1,500,000 aggregate for an identical provision.

2. Penalties assessed to healthcare organizations with a violation of reasonable cause but not willful neglect:

$1,000 to $50,000 per violation.

$1,500,000 aggregate for an identical provision.

Revealing patient information to unauthorized persons.

3. Penalties assessed to healthcare organizations with a violation deemed as willful neglect but rectified within a reasonable time:

$10,000 to $50,000 per violation

$1,500,000 aggregate for an identical provision

4. Penalties assessed to healthcare organizations with a violation deemed as willful neglect and left unresolved:

$50,0000 per violation

$1,500,000 aggregate for an identical provision.

Aon Risk Solutions | Global Sales & Marketing Support

Proprietary & Confidential12

Mergers & acquisitions require complex integration of IT systems which may become susceptible to data breaches and cyber exposures

Healthcare industry has witnessed high demand levels in M & A deals in 2014 & 2015. According to ‘Thompson Reuters’ study, the healthcare M & A value was $460.2 billion as in November 2015 up from $392.4 billion in the year 2014.

In 2015, Pfizer Inc offered to buy Allergan for a consideration of $ 160 billion which is considered one of the largest deals in healthcare. This acquisition which could create world’s largest drug maker has come under serious scrutiny on the political and economical front.

The outbreak of this news triggered the panic amongst investors and as a result the shares of ‘Allergan’ and ‘Pfizer’ fell by 3.4% & 2.6% respectively. Pfizer expects the deal to provide enhanced access to its tens of billions of dollars parked overseas and allow for more share buybacks, dividend payments and business development.

This deal would involve a complex process of integrating the information systems of both companies which may consume considerable time and efforts.

One of the biggest threats could be unauthorized access of critical and proprietary information by malicious insiders &/ outsiders. Data breaches could be another problem since the both companies would operate large volumes of data and information which must be integrated.

Most of the time, cyber security is ignored in a merger or acquisition due to which the companies involved may become susceptible to data breaches and other cyber risks in future.

International law firm Freshfields Bruckhaus Deringer found in a survey shared with Infosecurity that 90% of respondents believe cyber-breaches would result in a reduction in deal value; and 83% of dealmakers believe a deal could be abandoned if cybersecurity breaches are identified during deal due diligence or mid-transaction.

Dealmakers’ top concerns include targets suffering cyber-attacks during deal discussions, the target being a proven victim of data or intellectual property (IP) theft by cyber-attack, and evidence of a target not handling a past breach effectively (leading to fines, damage to reputation etc.). Interestingly, acquirers (30%) are most concerned about cybersecurity issues derailing transactions,whereas 81% of sellers are unconcerned or only slightly concerned about the risk of derailment.

Aon Risk Solutions | Global Sales & Marketing Support

Proprietary & Confidential13

Data breaches have led to lawsuits against board of directors.

It would be an interesting to ascertain if cyber exposures or data breaches can possibly lead to lawsuits against Directors and officers. According to ‘The D & O Dairy’ the Board of Directors of ‘Target Corp’. and ‘Wyndham Worldwide’ were sued soon after these companies witnessed high – profile data breaches.

Although the example mentioned above is from different industries such as retail and hospitality, it’s interesting to ascertain the possibility of cyber liability leading to D & O liability. D & O policies are witnessing changes in terms of scope & coverage since the possibilities of data breaches leading to lawsuits against directors & management are opening up.

Its quite unclear if cyber/data liability/security claims be covered under traditional lines of insurance such as: property, general liability etc. However few Court rulings shed some light on decisions where in cyber liabilities were covered under traditional lines of businesses. Although the companies involved in lawsuits belong to industries other than healthcare it would be interesting tounderstand the treatment of liability.

In the lawsuit: “Retail Systems, Inc. v. CNA Insurance Co” the Court of Appeals of Minnesota compared a data storage tape to a motion picture and held that data on a missing computer tape was of permanent value and was integrated completely with the physical property of the tape.

Generally Commercial General Liability (CGL) policies offer broad liability insurance coverage under two insuring agreements: ‘Coverage A’ (bodily injury and property damage) and ‘Coverage B’ (personal and advertising injury). In the case: “Eyeblaster, Inc. v. Federal Insurance Co”, the U.S. Court of Appeals for the Eighth Circuit held that a cyber liability claim was covered under Coverage A notwithstanding that “any software, data or other information that is in electronic form” was expressly excluded from“tangible property”.

Aon Risk Solutions | Global Sales & Marketing Support

Proprietary & Confidential14

Healthcare industry respondents reported lower levels of increase in retention level

33%29% 27%

24% 23% 21% 20% 19% 18% 18%

Aon Global Risk Management Survey 2015, changes in retention levels According to Aon’s Global Risk Management Survey 2015

report, about 33% respondents from ‘Agribusiness’ industry reported increase in the retention levels across all lines of business (property, general liability etc).

About 18% of respondents from the ‘Healthcare’ industry reported increase in the retention levels.

According to Aon’s Global Risk Management Survey 2015 report, 57% of the respondents from the healthcare industry had already purchased cyber insurance.

However, 42% of respondents had neither purchased cyber insurance and nor had plans to purchase. A very minute portion of respondents (2%) had plans of buying cyber insurance

57% 50% 49% 42% 39% 35% 35% 32%

42%

24% 36%37% 46% 49% 55%

43%

2%

26%15% 21% 14% 15% 10%

26%

Aon Global Risk Management Survey 2015, Purchase of Cyber Insurance Coverage by Industry

Plan toPurchase

Notpurchased &No Plans toPurchase

InsuranceCurrentlyPurchased

Aon Risk Solutions | Global Sales & Marketing Support

Proprietary & Confidential15

Majority of the respondents from the healthcare industry felt existing cyber policy offered effective & adequate coverage

83% 85% 89%100%

73% 76%

57%

87%

Aon Global Risk Management Survey 2015, Effectiveness of Current Cyber Insurance by Industry

63%

48%

95%

71%64%

76%

57%67%

Aon Global Risk Management Survey 2015, Adequacy of Current Cyber Insurance by Industry

According to Aon’s Global Risk Management Survey 2015 report, about 83% respondents from ‘Healthcare’ industry were pleased with the effectiveness of existing cyber liability.

Only 57% of respondents from the ‘Hotels & Hospitality’ industry thought the current cyber liability policy was effective enough to offer protection from cyber liability.

According to Aon’s Global Risk Management Survey 2015 report, about 63% of respondents from ‘Healthcare’ industry felt that current cyber coverage provided adequate cover from cyber liability.

However, 48% of respondents from ‘Retail Trade’ industry felt that current cyber coverage wasn't adequate to provide cover from cyber liability

Aon Risk Solutions | Global Sales & Marketing Support

Proprietary & Confidential16

Estimation of the impact of cyber risk on healthcare industry

According to a study by ‘Grand View Research, Inc’, the global healthcare cyber security market is forecast to reach value of $10.84 billion by the year 2022. Increasing incidents of cyber attacks for misuse of electronic patient health records (E-PHR), social security records, IP theft etc are expected to drive the growth of this market.

Increased emphasis on the use of cloud based applications & services & bring your own device (BYOD) may encourage cyber criminals to mount more attacks which in turn would contribute towards the growth of the healthcare cyber security market.

Rapid adoption of internet in India & China s expected to create a huge user base vulnerable to cyber attacks. According to the estimation by internet and Mobile Association of India (IAMAI), India’s internet user base is forecast to reach nearly 402 million by December 2015.

According to a study by ‘Accenture’ and publication by ‘Healthcare Informatics’ the failure of making cyber risk a strategic priority may cost healthcare providers about $ 305 billion worth lifetime revenue over the next 5 years: 2016 – 20.

Sources used for the study:

Breach Level Index database.

NetDiligence Cyber Claims Study – 2014 & 2015

Prnewswire publication

Healthcare Informatics publication

Reuters publication

Aon Global Risk Management Survey 2015

For any queries regarding this report kindly contact:

Abhiram Holla,

Aon Specialist Services Pvt Ltd/ GSMS, t +918030912166 | m +919986186390, email: abhiram.holla@aon.com