Skip to main content
main content, press tab to continue
Article

Misuse of patient data: The next big healthcare cyber risk?

January 31, 2022

Many cyber policies don’t cover wrongful collection or misuse of patient data. With more health information being shared than ever, is it time for a rethink?
N/A

What is cyber insurance?

Most cyber policies provide robust cover for losses and costs associated with data breaches.

This usually means a hack or malware attack resulting in the loss, theft or corruption of business-sensitive information or personal data.

What is wrongful collection and misuse of data?

If organizations collect data without getting the appropriate consent, they may be collecting it wrongfully.

If they use data for a purpose that wasn’t intended, that may be misuse.

Unlike a typical data breach, no one hacks into an IT system or holds a company to ransom.

Wrongful collection or misuse of data usually results from the organisation’s own practices, or those of its data-sharing partners.

Do cyber policies cover wrongful collection and misuse of data?

Cyber policies typically respond well to privacy events resulting from hacks and introduction of malware.

Cyber policies typically respond well to privacy events resulting from hacks and introduction of malware.”

Robert Barberi | Director, FINEX Cybersecurity and Professional Risk, WTW

However, some policies will require a clear, affirmative coverage extension to cover wrongful use or wrongful collection of data.

In the current hard market, insurers are tending to pull back from such broad wordings, and are more likely to adopt a conservative approach to new areas of cover rather than innovate.

Why should healthcare organizations be concerned?

The pandemic has accelerated the digitalisation of care.

Leading data jurisdictions, such as the EU and California, already have strict rules governing how data is collected, shared and used.

While others have weaker protections, public pressure is growing as a result of recent scandals and whistleblower revelations.

People are often willing for their health data to be shared for medical research, but may be less inclined to give their permission if they believe that companies are likely to make a profit from the work.

Other potential concerns include:

  • Drug companies using data to target patients with marketing
  • Profiling of patients based on aggregated data, resulting in higher insurance premiums or reduced services
  • Changes to treatment options based on data-driven algorithms raises the possibility that patients' treatment might be impaired as a result of how their data is used

Regulatory regimes

Europe

The General Data Privacy Regulation (GDPR)1, which came into force in 2018, imposes strict duties on organizations to gather personal data legally, with express consent, and protect it from misuse and exploitation.

U.S.

The California Consumer Privacy Act (2018)2 creates the strictest data protection regime in the U.S.; data can only be collected for strictly limited purposes, with informed consent.

South America

Brazil’s Lei Geral de Proteção de Dados3, which came into effect in 2020, is Latin America’s first major data protection law; people must be informed of the purpose their data is collected for.

What do healthcare organizations need to consider?

Have you got the appropriate consent?

Providers should engage with patients transparently and explain what patients are consenting to, how their data will be used, and how it will flow through systems and on to partner organizations.

Providers should engage with patients transparently and explain what patients are consenting to, how their data will be used, and how it will flow through systems and on to partner organizations.”

Kirsten Beasley | Head of Healthcare Broking, North America
WTW

Don’t dodge this because the consequences can be severe if people find their data is being used for purposes they didn’t understand.

Explaining things properly can also have a positive effect in helping patients understand the benefits they may receive as a result of the data use.

The GDPR standards of consent provide a good framework to consider. Article 4 of GDPR4 defines consent as:

  • Freely given: the person must not be pressured into giving consent or suffer any detriment if they refuse.
  • Specific: the person must be asked to consent to individual types of data processing.
  • Informed: the person must be told what they're consenting to.
  • Unambiguous: language must be clear and simple.
  • Clear affirmative action: the person must expressly consent by doing or saying something.

Could the data be re-identified?

In many jurisdictions, express consent is not required for data sharing if the data is de-identified.

There is increasing concern that some data can be re-identified by cross-checking with other data sources.”

Robert Barberi | Director, FINEX Cybersecurity and Professional Risk, WTW

However, there is increasing concern that some data can be re-identified by cross-checking with other data sources, including some that are publicly-available.

The legality of re-identification is not yet clear, which reinforces the need to avoid exposure to the risk by getting express, transparent consent as described above.

What governance measures do you have in place?

Some organizations may be unaware of potential wrongful collection or misuse.

For example, they might have obtained consent but it might not be adequate for the purpose or they may not fully understand how their partners plan to use patient data.

It’s important that organizations get on top of this and make sure they have strong controls and checks in place.

Call to change

With the increasing digitalization of healthcare, we’re likely to see greater interest from regulators and the public in potential wrongful collection and misuse of patient data.

High profile cases have shown the potential for large-scale privacy infringements and claims.

But there’s a gap between the risks and the cover offered by most cyber insurance.

We need cyber policies that can respond and offer some protection to healthcare providers engaged in the collection, processing and sharing of data.

Given the pronounced losses that could result from claims alleging wrongful collection or wrongful use of data, it’s imperative that healthcare organizations pursue the broadest possible wording on their cyber policies.

Disclosure

WTW offers insurance-related services through its appropriately licensed and authorised companies in each country in which WTW operates. For further authorisation and regulatory details about our WTW legal entities, operating in your country, please refer to our WTW website. It is a regulatory requirement for us to consider our local licensing requirements.

Willis Towers Watson Insurances (Ireland) Limited, trading as Willis Towers Watson is regulated by the Central Bank of Ireland. Registered in Ireland number 78812.

Sources

1 General Data Protection Regulation (GDPR) Compliance Guidelines

2 California Consumer Privacy Act (CCPA) | State of California - Department of Justice - Office of the Attorney General

3 ANPD — Português (Brasil)

4 Article 4 GDPR. Definitions

Contacts


Yvonne Hourigan
Account Director, Corporate Risks, WTW

Related content tags, list of links Article Cyber Risk Management and Insurance Healthcare
Contact us