Volume 13

HealthSure Headlines - A quarterly information digest for health care providers
In This Issue
When the inevitable happens…
Average cost of healthcare data breach
Are you rolling the data breach dice?
The economics of employee identity protection
ACA Update Pay vs Play
Moore County Hospital District wins TORCH Light Award
Client Question Corner

Looking forward to seeing you at the

TORCH Critical Access Conference

Hyatt Lost Pines Resort, Bastrop, TX June 25-26, 2014




Milestone: Participant

count reaches 60!


The continuous growth and success of the TORCH Insurance Program managed by HealthSure was highlighted in early May of 2014 as the 60th TORCH member joined the program.


Since HealthSure began managing the program in 2007, participation has increased by 35 percent and the number of policies has increased by 197 percent.


Acknowledging the milestone, Brant Couch, HealthSure president, said, “With each new member, the program’s ability to deliver value, exceptional selection, and service grows. As a group, our buying power has tripled!” Follow us on Twitter

Client Question

What are the benefits of identity theft protection?


Need help? Have a question?

Call us at

(888) 665-1539 or email




Forward to a friend
or colleague


 Follow us on Twitter  Like us on Facebook  View our profile on LinkedIn




Editor’s Note


As technology continues to fuel an “e-health” revolution, protecting patient privacy is an increasingly complex and costly challenge. As part of our mission to help you succeed in the increasingly complex world of risk and insurance, we take a look at privacy breach prevention, privacy liability protection, and new ways for you to enhance your prosperity.



When the inevitable happens…

Making sound buying decisions in complex times

By Jennifer Fudge RPLU & Michelle Prosser CRM, CIC


With over 80,000 HIPAA breach cases being reported between 2003 and 2013, the question seems to have changed from “What happens if a data breach occurs?” to “What do we do when a data breach occurs?” Is your organization ready for what appears to be inevitable?


Read the Article


Average cost of healthcare data breach = $1,973,895

Benchmark study says one lost or stolen record costs $188

By Curtis Verstraete

And the study says… you’re not alone when it comes to wrestling with the new challenges created by “electronic” healthcare.

Are you rolling the data breach dice?

After-the-fact logic can prove costly

By Brant Couch, CPA, CIC

The evolving and increasingly complex nature of cyber liability is being met with an increasingly sophisticated set of insurance solutions. Are you keeping up?


HealthSure News

Moore County Hospital District Wins TORCH Light Award

Recognition for quality and safety leadership




The economics of employee

identity protection

A new benefit for these digital days?

By Brant Couch CIC, CPA


With the FBI saying identity theft is the fastest growing crime in America, does offering identity theft protection to employees make sense?


ACA Update

Pay versus play penalties coming in 2015


In July 2013, the IRS gave employers an extra year to comply with the employer shared responsibility provisions of the Affordable Care Act (ACA).









When the inevitable happens…

Data breach prevention and protection strategies

By Jennifer Fudge, RPLU & Michelle Prosser, CIC, CRM


This past February, St. Joseph Health System confirmed a security breach affecting the records of up to 405,000 past and current patients, as well as employees and their beneficiaries.


A report published on the Information Week web site says the attack is believed to have begun anytime from December 16th to 18th and ended on the 18th when St. Joseph shut down the affected server.


Investigators say records including names, Social Security numbers, dates of birth, home addresses, as well as the medical information of patients and bank account data for employees were at risk.


The event is the largest breach reported by an individual health system and could potentially be the biggest loss of patient data reported by an individual hospital.

The St. Joseph breach shines a bright light on how the evolution of data management, use, and sharing in healthcare is creating new security threats.


Assume the best, prepare for the worst

It is impossible to anticipate every threat, so your best bet is to plan for your security to fail. Determining the answers to questions like these will help:

  • Can we get rid of any data we do not need?
  • Does all the data we have online have to remain online?
  • Can we reduce the number of people with access?

In addition to acting on the answers to these questions, you need to develop a plan for managing a breach and insure any risks that remain.


Key risk controls

The relevance of HealthSure’s “Prevent, Protect, Prosper” tagline to the rapidly evolving risks created by “e-healthcare” is undeniable. After reviewing the St. Joseph case our team created this prevention checklist:

  • Policies: The policies you have in place are the primary means by which management provides direction to employees
  • Incident Response Plan: The act of becoming well prepared to respond to an incident enables an organization to identify ways to reduce or eliminate vulnerabilities
  • Training: For policies and response plans to be effective, employees must be trained regarding privacy and security exposures along with the applicable policies and procedures linked to such exposures
  • Technical Security Controls: Includes firewalls, anti-virus software, patch management procedures, encryption, a process to assign and terminate user-IDs and passwords, and others
  • Physical Security Controls: Includes door locks, segregating server rooms from any other area of the organization, and personnel access systems


Unique protection

The response to a data breach is a complex undertaking and insurance coverage varies with every carrier, product type, and policy. The key protection features you need to consider in an insurance product are:

  • Duty to defend wording
  • Safeguard exclusions
  • Insured versus Insured Exclusions (Are employee suits covered?)
  • Coverage for information regardless of the medium (Are paper files covered?)
  • Coverage for failure to comply with own security policy?
  • Coverage triggers (Incident or lawsuit?)
  • Notification costs coverage in states without Privacy Laws
  • Vicarious Liability for the Acts of Others
  • Intentional Acts Exclusion (Are the acts of “rogue” employees covered?)
  • Coverage for both PII and confidential corporate information?
  • Worldwide Coverage (Are events and claims covered anywhere in the world?  Does the suit have to be filed in the U.S.?)

You are not alone

We can help. If you are interested in knowing your organization’s level of exposure to data breaches and other cyber risks, we can help you conduct a cyber risk assessment. The results of the assessment will help determine if you need additional assistance to prevent and protect your organization from the fallout of a data breach.



Average cost of healthcare data breach = $1,973,895

Benchmark study says one lost or stolen record costs $188

By Curtis Verstraete
Managing risk and insurance related to patient privacy and data security is made simpler when you have a clear understanding of the environment surrounding your organization. It also helps to know what other healthcare leaders are doing to address the risks that come with rapidly changing technology, regulatory and legislative upheaval, and the overhauling of reimbursement policies.
Recognized as a leading source of this type of information, “The Fourth Annual Study on Patient Privacy & Data Security,” conducted by the Ponemon Institute and released in March 2014, reveals new and expanded threats to the U.S. healthcare system.
Here are some of the highlights from interviews conducted with 91 healthcare organizations:
  • Progress is being made in reducing the number of breaches
  • Ability to control data breach costs improves
  • ACA puts patient data at risk
  • ACO participation increases breach likelihood
  • Insider-outsider threats to sensitive data are on the rise
  • Healthcare organizations are struggling to comply with the HIPAA Final Rule

Data breaches decrease slightly

90 percent of participating organizations had at least one data breach in the past two years. 38 percent report having more than five incidents compared to 45 percent in the previous study.


Cost control improves

The average economic impact of data breaches for the healthcare organizations represented in this study is $2 million: a decrease of almost $400,000 or 17 percent since last year.


ACA puts data at risk

69 percent of respondents said they believe the ACA significantly increases risk to patient privacy and security. Primary concerns included insecure exchange of patient information between healthcare providers and government, patient data on insecure databases, and patient registration on insecure websites.


ACO participation increases breach likelihood

Over half of participating organizations are part of an Accountable Care Organization (ACO) and 66 percent say the risks to patient privacy and security due to the exchange of patient health information among participants has increased.


Insider-outsider threats to sensitive data are on the rise

Criminal attacks on healthcare organizations increased 100 percent since the study was conducted in 2010 when 20 percent of organizations reported criminal attacks compared to 40 percent in this year’s study.


Employee negligence is considered the biggest security risk. 75 percent of organizations say employee negligence is their biggest worry followed by use of public cloud services, mobile device insecurity, and cyber attackers.



Despite concerns about employee negligence and the use of insecure mobile devices, 88 percent of organizations permit employees and medical staff to use their own mobile devices to connect to organization networks and enterprise systems such as email.


As use of cloud services increase, the level of security confidence decreases. Only one-third of study participants are very confident or confident that information in a public cloud environment is secure. 40 percent say they use a cloud heavily; an increase from 32 percent last year.


Struggling to comply with HIPAA’s Final Rule

Half of healthcare organizations are compliant with the post-incident risk assessment requirement in the Final Rule. 51 percent of respondents said they are in full compliance while 49 percent report they are not compliant or are only partially compliant. 39 percent say their incident assessment process is not effective and cite a lack of consistency and inability to scale their process as the primary reasons.


A majority says the HIPAA Final Rule has either not affected patient data privacy and security programs or it’s too early to tell. The biggest change has been to require policies and procedures to be updated.


Healthcare organizations don’t trust their third parties or business associates with sensitive patient information. 73 percent of organizations are either somewhat confident or not confident that their business associates would be able to detect, perform an incident risk assessment, and notify their organization in the event of a data breach incident as required under the business associate agreement. The business associates they worry most about are IT service providers, claims processors, and benefit managers.


Less than half of organizations have personnel who are knowledgeable about HITECH and their states’ data breach notification laws.


Less than half are in full compliance or nearly in full compliance with the Accounting of Disclosures (AOD) requirement.


55 percent say they have the policies and procedures that effectively prevent or quickly detect unauthorized patient data access, loss, or theft. Unfortunately, the budget, technologies, and resources needed to safeguard patient information from a data breach are not as available.


For a complete copy of the study, visit http://www2.idexpertscorp.com/

Are you rolling the data breach dice?

After-the-fact logic can prove costly

By Brant Couch, CPA, CIC

Every healthcare organization with a network, database, and online presence faces an increasingly complex and growing amount of risk. Yet, some healthcare leaders are taking a wait and see approach to covering these risks.


In a notice sent to healthcare providers in early April 2014, the FBI said, “the healthcare industry is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely.”


Hackers love health data

Reuters News agency in its coverage of the notice repeated a fact that is becoming more widely known: “Health data is far more valuable to hackers on the black market than credit card numbers because it tends to contain details that can be used to access bank accounts or obtain prescriptions for controlled substances.”


In this rapidly evolving environment, it is important to realize most traditional business policies do not cover risks associated with:

  • The theft of customer data resulting from a lost or stolen laptop
  • Failure to follow federal or state patient notification regulations when personal data has been illegally accessed
  • Connected medical devices, network-attached printers, faxes, and surveillance cameras; These devices are being targeted more often than major information systems according to SANS, a respected source for computer security training, certification, and research.
  • Online health monitoring
  • Accidentally passing a virus or other type of malware to suppliers and ACO partners
  • Employee slander of another organization in a blog or social media site
  • Content posted on your website that infringes on copyrighted material

Wait and see can be costly

A recent HealthSure case highlights the issues facing healthcare organizations that are taking a wait and see approach. We conducted a cyber risk assessment over 12 months ago for an organization we felt could benefit greatly from an appropriate amount of cyber coverage. Despite the logical results the assessment produced, the decision makers declined on the basis that their organization had never had a claim of this nature.


In the ensuing 12 months, a costly data breach occurred. After the dust settled, HealthSure was asked to help with the acquisition of an appropriate amount of coverage. The coverage now costs approximately 35 percent more than it would have a year ago (not to mention the reluctance of some carriers to offer coverage at all).


Burning down the house to save money

As things change, our logic must change with it. These days, not having appropriate cyber coverage is like saying, “I will not buy home insurance until I have a fire… and depending on how bad it is, I will then decide if and how much insurance I will buy.”

In case you are wondering if you should be concerned, reading the other stories in this issue of HealthSure Headlines might help you decide. Then, if you are interested in knowing your organization’s level of exposure to data breaches and other cyber risks, we can help you conduct a cyber risk assessment.

The economics of employee identity protection

A new benefit for these digital days?

By Brant Couch CIC, CPA


The privacy liability concerns of healthcare organizations extend beyond protecting the personal and health information of their patients. Like leaders in other organizations, healthcare organizations must take into account the risks associated with employee data.


In addressing these risks, some organizations are offering employees the benefit of identity protection services. These organizations pay between $80 and $300 per year, per employee for this service.


Comparing the cost of identity protection to the losses an organization suffers is a complex challenge. For example, how do you measure the cost of a victim of identity theft who isn’t fully focused on his or her work as they address the problem? The Federal Trade Commission (FTC) reports that 10 percent of victims spend at least 55 hours of work time resolving the issues caused by identity theft. The FTC also reports that half of the victims have related out-of-pocket losses, with 10 percent losing $1,200 or more.


The CEO of ID Theft Solutions of America, Jason Lavender, says “employer groups can generally customize an offering to fit their budget. But, make sure any ID theft product you consider does the restoration work for the employee if a breach occurs. This allows them to stay focused on their own jobs while the investigators are restoring their identities; not just assisting the employee, but actually doing the heavy lifting.”


Adding to the complexity surrounding the decision to offer identity theft protection are cases like the recent one at the University of Pittsburgh Medical Center (UPMC). Unauthorized access to the personal information belonging to 27,000 employees has prompted UPMC to offer identity protection services to all 62,000 employees. The program costs approximately $250* per employee or a potential total of $15.5 million per year!


*Source: Next Advisor


It seems reasonably safe to assume UPMC is hoping to avoid any further damage to its reputation as an employer. That said, it is difficult to assess the benefit UPMC would have accrued if it had been offering employees identity theft protection before the data breach.


“People are beginning to understand the necessity of having an incident response plan,” Lavender says. “A big part of that plan is including voluntary employee offering because not only does it help with early detection of a breach, it can significantly decrease the expense should a breach occur. We generally see our clients saving over 40 percent when responding to a breach. That really adds up when the average cost of a healthcare data breach is well over $1 million.”


Deciding to take a proactive approach towards identity theft protection, or waiting until a significant event compels you to offer it, is a complex decision but not one that is impossible to manage.


If you are interested in more fully understanding your risks and coverage options, HealthSure can help. To give you confidence in the face of change and the increasingly complex world of risk and insurance, we identify at least 10 key performance indicators you can expect from any insurance coverage. In other words, we help you set benchmarks for performance to ensure your insurance does what you expect, 100 percent of the time.


If you are concerned about identity theft protection, call us to arrange a simple 30-minute discovery conversation to explore your options.


ACA Update

Pay versus play penalties coming in 2015


In July 2013, the IRS gave employers an extra year to comply with the employer shared responsibility provisions of the Affordable Care Act (ACA).


In facing the “play or pay” decision, employers must offer full-time employees healthcare coverage or send them to the public health insurance exchanges and pay fines for doing so.


The penalties for employers with no health plans will be based on how many full-time employees they have. If your organization decides to “pay”, you still need to conduct measurements of employee hours before the 2015 deadline. If your organization plans to avoid penalties by offering health plans, you might still face fines if some full-time employees use the ACA premium tax credits to buy coverage on the exchanges.


If you are a member of TORCH, the TORCH Health Insurance Alliance (THIA) can help you assess your preparedness and weigh your options. THIA members have access to a dynamic compliance portal that is proving essential to staying up-to-date.


Non-TORCH hospitals and other organizations can contact HealthSure for a brief and informative discovery conversation that will give them greater clarity and direction.






Moore County Hospital District wins TORCH Light Award

Recognition for quality and safety leadership


The Fourth Annual TORCH Light Award was presented to Moore County Hospital District during the 2014 TORCH Annual Conference and Trade Show in Dallas this April.


Presented by Brant Couch of HealthSure, the TORCH Light Award acknowledges exceptional patient and employee programs that improve the quality of patient care and employee and patient safety.


“Improved safety and care quality for patients takes exceptional focus and leadership,” says Brant Couch. “That is why we are delighted to acknowledge Moore County’s success and contribution to TORCH and the entire Texas healthcare community.”





It isn’t always easy to get the answer to the questions you have.  Sometimes it isn’t even easy to come up with the right question!

That is why each issue of HealthSure Headlines will feature one or two questions from our clients and answers from our team or, if need be, outside experts.

If you have a question you can’t find a satisfactory answer to, send it to brantc@healthsure.com


Client Question: What are the benefits of identity theft protection?


For a monthly fee, a growing number of services monitor employee credit files, financials, and personal information. When a potential theft occurs, they notify the employee and provide details of what has happened. When the employee verifies the theft has actually occurred, the service then takes steps to mitigate the damage and assist in identity recovery.


Repairing the damage caused by identity theft usually involves closing and reopening accounts, replacing identification, and other measures that can be time consuming and expensive. Most firms offer service guarantees that say they will spend time and resources equivalent to a certain dollar amount (e.g., $1 million).


This is a list of the features available.

Note: Not all firms offer all of these features. Security

  • Fraud Monitoring
  • Fraud Alerts to Client
  • Fraud Alerts to Credit Bureaus

Information Protected

  • Social Security
  • Street Address
  • Full Name
  • E-Mail Address
  • Telephone
  • Credit Card Numbers
  • Bank Account Information
  • Public Records
  • Loan/Lease Information
  • Criminal Records
  • Sex Offender Registry
  • Driver’s License
  • Medical Insurance

Recovery Assistance

  • Resolution Services
  • Stolen Wallet Assistance
  • Service Guarantee

Help & Support

  • Phone Support
  • E-Mail
  • FAQs
  • Newsletter or Blog
  • 24/7 Phone Support

Additional Features

  • Mail List Removal
  • Credit Monitoring
  • Credit History Reports
  • Family Coverage
  • Computer Security Suite



HealthSure’s mission is to help healthcare organizations succeed in the increasingly complex world of risk and insurance.


Our unmatched focus on healthcare means we know the industry better than anyone else.


It is our job to make sure:

  • Your insurance does what you expect, 100% of the time
  • You stay ahead of ever-changing laws and regulations
  • We’re always there when you need help


We believe simplicity is the cure for crushing complexity.


Small but important print 

This communication is designed to provide a summary of significant developments to our clients. Information presented is based on known provisions. Additional facts and information or future developments may affect the subjects addressed. It is intended to be informational and does not constitute legal advice regarding any specific situation. Plan sponsors should consult and rely on their attorneys for legal advice.

This content is restricted to site members. If you are an existing user, please login. New users may register below.

Existing Users Log In