Cyber Risk for Dental Practices

By: Christopher Verbiest
Vice President, DBC

With more practices going paperless or considering it, and ever-changing technology, dentists are increasingly at risk for a data breach.  Most dentists are not aware that their professional liability, general liability, and property insurance policies have either exclude or have very limited coverage for cyber and privacy data breaches.

The fact that dental offices retain personal information on their patients such as health history, birthdates, social-security numbers, etc., increases the risk for cyber liability exposure.

The Health Insurance Portability and Accountability Act (HIPAA) require health care providers safeguard the privacy of patient health information (PHI) and other information.  In 2009, additional legislation known as the HITECH Act was passed which significantly strengthened many aspects of HIPAA’s security rules, including creating a new penalty system making monetary penalties mandatory for violations.

In addition to the federal requirements, most states have their own notification laws and penalties, which can vary from state to state and can be very broad in scope.  For practices who have patients (active or inactive) who have moved to other states, knowing where those patients have moved and being familiar with their state’s requirements can be a challenge. Nevertheless, if that patient’s data has been compromised, the dentist will also be subject to that state’s legislation and penalties in addition to HIPAA.

What are cyber threats to your practice?

Healthcare organizations, including dental practices are commonly targeted by hackers.  Cyber liability can also include:

  • The theft or the loss of a laptop, smart phone or other portable electronic device used to access PHI
  • Employee theft of confidential PHI
  • A simple employee mistake, such as administrative error
  • Office burglary of electronic equipment or data containing PHI

What are the associated costs and consequences of a cyber breach?

  • HITECH monetary penalties for violations from “did not know” to “willful neglect” range from $100 to $50,000 for each violation
  • State penalties and fines may apply
  • Defense of a lawsuit brought on by a patient(s) whose data was compromised
  • Costs for forensics and the investigation to determine which patients were affected by the breach
  • Cost to notify all affected patients
  • Cost for credit and identity theft monitoring for affected patients may also apply
  • Cost related to an Office of Civil Rights  investigation and State Attorney General office audits
  • Lost revenue from reputational damage

The costs to jump through all of the federal and state compliance hoops involved in a data breach can be as high as $300 or more per compromised record.   That could mean tens of thousands of dollars and hundreds of hours of your time, depending on the number of patient records affected.

Recognizing this exposure, DBC has assisted in developing a new insurance policy exclusively designed to assist and protect dental practices with their liability if they do incur a data breach.

For more information or to answer any questions you may have, please call DBC at (855) 260-4538.