A small medical practice with four practitioners using a network of several computers discovered a virus had entered its system – the result of a staff nurse opening a bogus email believed to be from the practice's courier company.
Despite the practice having anti-virus software and employee controls to prevent such incidents, it was found that the anti-virus software only detected known viruses. This new virus was able to enter undetected, proliferate and infect their computers.
Complicating matters, the virus allowed an external party responsible for spreading the virus to gain entry to the network and individual computers, allowing access to highly sensitive patient information and medical records.
The practice was forced to erase, cleanse and restore all data from their systems in order to rid itself of the virus. The practice also received complaints and actions from patients who felt their privacy had been compromised. The practice's existing Public Liability and Professional Indemnity policies did not provide cover for the significant costs incurred, as data restoration damage caused by viruses were excluded from their policies.
In this case, had the practice opted for a Cyber Liability policy, they would have received both first and third-party coverage (being cover for the practice's financial loss and interruption, as well as cover for privacy actions taken against them by their patients). This amounted to:
This claim example is based on actual events that occurred in a professional services firm, however some of the information has been adapted to relate to the medical industry, and to protect the identity of the company involved.