Specialty Podcast: The Insurance Implications for United Healthcare Cyber-Attack

Intro (00:00):
You are listening to the Alliant Specialty Podcast, dedicated to insurance and risk management solutions and trends shaping the market today.

David Finz (00:08):
Hello everyone and welcome to another edition of the Alliant Specialty Podcast. I'm David Finz and I'm here with Steve Shappell, leader of our specialty claims team. I'd like to start off today by speaking a little bit about this breach at Change Healthcare. It's already affected a number of our clients; we've been watching the claims come in and as we record this episode, the technology unit of a leading health insurer is still grappling with the effects of a massive cyber attack that has caused disruptions for pharmacies and other healthcare organizations across the U.S. This was an attack by Black Cat, a threat actor that is suspected of having nation state associations, and it caused an outage to the network that helps facilitate the flow of information between healthcare providers and insurance companies. So in an 8K filing with the Securities and Exchange Commission, the parent of this technology company, UnitedHealth, acknowledged its discovery on February 21st of unauthorized access to its subsidiary’s network.

The technology company itself released its own statement this past week, and they indicated that they had taken immediate action to limit the effects of the outage and protect the interest of their business partners and their patients. They stated that more than a hundred of their services had been impacted, including benefits verification, claims processing and prior authorization for coverage. And the company's working closely with law enforcement and incident response vendors around this cyber attack. But what I thought was really most interesting about this statement was that it goes on to imply that if healthcare providers are facing ongoing issues, it's their own fault. The company said, and I'm quoting from the statement now "as we remediate, the most impacted partners are those who have disconnected from our systems and or have not chosen to execute workarounds." Now, reading between the lines, I take this as suggesting that the company is expecting its partners to build resilience into their own operations, and that if they find themselves in court, they intend to argue that their liability should be limited when their partners have failed to do that.

And this really drives home the point about third party risk management being so important in the healthcare space. And it's not as if healthcare organizations haven't seen the warning signs of this coming. We've been down this road before - the Kronos outage disrupted timekeeping at hundreds of facilities. We had nurses and orderlies recording their hours with a pad and a pen, and this diverted their attention from patient care. More recently, we've had the MoveIt file transfer vulnerability and that disproportionately impacted hospitals and other healthcare providers, and it caused a lot of lost income and extra expense for them. And now doctors and pharmacies are struggling to keep prescriptions filled and their customers’ needs met. Even more distressing, though, is the fact that these vendors typically have limitations of liability built into their contracts. So I don't know the specifics around what the contract provisions were for Change Health, but typically they include a limitation like return of say, 12 months’ fees.

And that's not going to make many of these providers whole. So this is why we stress third party risk management as being vital to all of our clients, but especially in the healthcare space. And our risk consulting practice can help companies get a handle on these exposures and get a better understanding of the cyber maturity of the vendors that they're dealing with so that they can take steps to build safeguards into their own operations so that they can bounce back from an event like this. It's also a good time for folks to check their cyber insurance policy to see what coverage they have for what's commonly known as dependent or contingent business interruption. This coverage is often added to your policy by endorsement. It may be sublimited; it may have a separate waiting period. And there's also the question of whether you have coverage for situations where you voluntarily shut down your network to limit further losses. That's another thing that's not necessarily in the base form of these cyber policies and needs to be negotiated. And so these are the conversations we are having with our clients right now in light of what we're seeing play out in the healthcare space. So with that, I'm going to turn it over to Steve to talk about some of the coverage litigation that we are keeping an eye on right now for our clients.

Steve Shappell (04:32):
Thanks David. And thanks for that update on the cyber front. It continues to be a brave new world of something new every single day, week, month. So, real quick on the litigation that's going on, we're seeing an ongoing amount of coverage disputes and litigation that is unprecedented, just a lot of it. So I would encourage you look at our Executive Liability Insight newsletter for the last two months because it really does give a decent indication of the things we're seeing and have seen in the last 12 months. So, as a recap for the last 12 months is seen in the last two newsletters. One of them is notice. We talk about this all the time. We operate in an interesting world in financial lines claims. It's a claims made and reported world.

And I've talked about this a few times on calls and it's a big deal, these policies are designed to respond to claims both made and reported within a policy period. They're not occurrence claims or policies as a lot of people are used to with CGL type of claims. And so it's really critical that everybody continue to acknowledge the difference and understand the ramifications. In the last 12 months, the amount of litigation we've seen on this issue of notice of a claim both made and reported in policy period has been alarming. It's not a renewed effort by the carriers. And carriers continue to be very, very aggressive about utilizing this pretty basic insurance concept that they're claims made and reported policies. It goes to the very nature of what that policy covers as opposed to giving notice under a GL of a slip and fall.

There's a prejudice component which doesn't exist in our world. So that's the first thing. Early and often when you have any sign of somebody accusing you of wrongful act as it pertains to your financial lines cover - D&O, E&O, employment practice, fiduciary - investment managers, asset managers, reach out to the broker in our team early and often to have a discussion about whether something should be submitted as a notice. And one of the things that's really interesting in the world is some arguments made by carriers. Where we'll look and push really hard to get something noticed as a claim, the carrier will reject it because it's not enough of a claim. But if the client doesn't report that, the carrier will inevitably look back at that email, look back at that letter and say, you should have told us about a claim, even though that exact same claim template used by that plaintiff's lawyer was rejected as a claim in an unrelated claim.

So, big deal. And then the other thing I want to talk about as part of early and often communication with the claims group is related litigation. We have several claims or several stories of coverage litigation involving interrelated claims. This is a sword and a shield, and I've talked about this before, of the issue of whether a subsequent claim or a current claim is related to a claim that was made prior to this current policy. And it's not going to be covered under this policy and may not be covered in any policy. It continues to be a source of a lot of litigation. When I look at the amount of litigation that was involved last year, I'd say a good 15%, 20% of cases involved this relatedness issue. And so, again, early and often, and this is something that we can and should continue to explore language in the policy because it's a defined term in the policy.

And because it's a sword and a shield, we have to be careful what we wish for. Do we want a narrow definition of related? Do we want a broad definition related? We want to make sure that it's consistent from policy year to policy year. Because we don't want to create a gap, and we also don't want to create some unintended consequence of having a very narrow definition interrelated. And then you get a subsequent claim, which is 20% overlap and the carrier says it's not related, please pay another retention. And we're unhappy about that. So there's a lot that goes into this related issue. And as I mentioned, it's a sword and shield and because of that we see variations of a fact pattern that is a pretty broad spectrum of the disputes. But the theme of what I'm trying to communicate of this pretty intense increase in coverage litigation is please reach out to David, me and and our team and your broker early and often. Whenever you get any hint of an issue, a complaint, an internal observation or discovery of a wrongful act that may lead to loss damages litigation, please reach out to us. That's one of the key themes from last year and kicking off this year. David, perhaps you could comment about Florida HB473 and the implications and ramifications from that legislation.

David Finz (09:19):
Yep. Thanks, Steve. You know anybody who's listens to these podcasts know I'm not necessarily a big fan of government regulation in the cyber arena, but this one is a breath of fresh air. Here we have a bill pending in the Florida legislature, which if it becomes law offers what I believe is a radically different approach. It was recently reported in the National Law Review that HB473 would offer a safe harbor against data breach litigation to businesses operating in Florida that maintain a robust level of cybersecurity in compliance with government and industry standards. Now, this bill's known as the Cybersecurity Incident Liability Act, and it aims to offer businesses an incentive to stay on top of their network security and data protection by providing an affirmative defense against tort claims arising out of data breaches. And it's no secret, the plaintiff's bar is always looking to file class action lawsuits against businesses who fall victim to a breach, even after the company provides notification and offers credit monitoring and identity theft protection to its customers.

Now, this legislation doesn't prevent plaintiffs from doing that, but it basically says that if a company can offer up proof that its practices were in substantial alignment with generally accepted cybersecurity standards, that will shield them from potential liability arising out of the breach. Now, it's important to note this legislation does not mandate specific cybersecurity measures. Instead, the bill gives businesses the option to select from one of several recognized frameworks. And we have the NIST standards, the NIST Framework, National Institute of Standards and Technology. We have ISO 27,000. We have the Center for Internet Securities Critical Security Controls. All of these are acceptable industry standards that businesses in Florida would be able to follow if this bill becomes law. The safe harbor also is available to businesses to demonstrate compliance with federal legislation such as HIPAA or Graham Leach Bliley, if they're a financial institution or the Federal Information Security Modernization Act.

I think this flexibility is important because having a cookie cutter approach doesn't take into account the size of the business, the nature of its activities, the sensitivity of the data that they're holding, or the resources available to that company to implement improvements in security. And personally, and I'm speaking for myself here, obviously not the company, I think this is a step in the right direction. This legislation really focuses on incentivizing businesses to adopt better controls. I believe the government has a role to play in protecting consumers and keeping our critical infrastructure secure. You know, but over the past few years, we've seen what I believe is too many sticks and not enough carrots. And this legislation essentially says to businesses, we understand that you're under constant threat from cyber criminals and rogue employees and activists. So if you do the right thing, but you fall victim to a cyber attack in spite of it,

We're not going to let the plaintiff's bar have a field day with you and add insult to injury. Now, this bill has a ways to go before it's signed into law, but there's no time like the present for companies to adopt better security controls. And our risk consulting practice here at Alliant can help them do that, whether it's through conducting a risk assessment to pinpoint vulnerabilities and propose options to remediate them, developing or refreshing a company's incident response plan, or reviewing and revising their information security policies. Our goal is to partner with our clients and help make their network and their data assets more secure. And this has the effect of improving their risk profile in the eyes of the underwriters. So it helps them with their insurance renewal. And if these safe harbor provisions do become law in Florida and other states follow, then our clients will be in the position to benefit from those safe harbors because they've already gotten ahead of the curve in implementing the security controls that are in line with industry standards. So, this is a positive development on the legislative front that we don't often see.

Steve Shappell (13:54):
Yeah. Thanks David. And I encourage you to look at the last two newsletters and if you have any questions, reach out to any of us listed on the Executive Liability Insight newsletter. And as always, visit alliant.com to get access to the newsletter and these podcasts.