CFC introduces medical billings cover for US healthcare providers

Comprehensive policy provides protection against allegation of healthcare fraud and abuse, includes cyber and privacy cover

London, 12 September 2018 — Specialist insurance provider, CFC, has introduced a new product to its growing suite of healthcare insurance solutions available to US healthcare providers.

Allegations of healthcare fraud and abuse by government entities and private payers are more prevalent than ever before. CFC’s new Medical Billings insurance covers the defense costs of actual or alleged billings fraud as well as expenses arising from an independent audit on billing practices following an allegation of fraud.

Timothy Boyce, US Healthcare Team Leader at CFC, comments: “Since the formation of the False Claims Act, allegations of healthcare fraud and abuse have increased exponentially. Healthcare providers have to navigate a challenging and often confusing set of reimbursement guidelines which has seen the rate of billing errors rise above 30 percent. Our new Medical Billings product has been specifically designed to provide comprehensive protection following billing error allegations by the federal government, private payers or regulatory investigations.”

The policy also offers reimbursement for fines and penalties arising out of a range of medical regulatory violations including HIPAA-related fines and penalties, Stark law, EMTALA and Federal False Claims and Social Security Acts.

Its cyber and privacy insuring clause has been tailored to address the specific cyber exposures faced by healthcare companies and includes specific references to HIPAA and HiTECH legislation, as well as offering a separate section for extortion to address the growing threat of ransomware.

CFC’s Medical Billings product is the latest in its extensive portfolio of healthcare insurance solutions for US companies.

  • Launched last fall, CFC’s ground-breaking eHealth product now insures hundreds of US domiciled companies, offering telemedicine related services to the US military and Veterans Association in more than 70 countries. Providing a blend of medical malpractice, tech E&O and cyber, the policy is designed to eliminate the gaps present in traditional insurance offerings for digital healthcare companies..
  • CFC’s healthcare suite also includes tailored solutions for allied health and medical practitioners working in a wide range of specializations, long term care facility providers, and businesses and individuals working in the health & wellness arena.
  • A leading provider of cyber insurance, CFC launched an expanded version of its standalone cyber policy for US healthcare providers in April.

“We’re constantly reviewing the needs of the healthcare industry, as well as the changing regulatory landscape, to ensure we’re offering valuable, compelling solutions to our US healthcare insureds” adds Boyce.

For more information, please head to the Medical Billings product page.

Webinar: US Food & Beverage Recall Landscape Update

Yesterday we held a webinar which discussed the Food and Beverage Recall Landscape in the USA. 

The risk landscape for food & beverage manufacturers in the US is changing dramatically – picky millennial consumers are growing less tolerant of allergens and food quality issues, the FDA is making a push for greater efficiency and transparency in its recall process, and an increasing number of retailers and grocery stores are mandating recall insurance for their suppliers.

You can watch the webinar here and download the slides here.

Cyber Claims Case Study: Reputational Repercussions – Online Retailer Grapples with Data Breach

This month’s cyber claims case study tells the story of an online retailer that had to notify over 90,000 customers following a breach of credit card details, leading to a damaged reputation and subsequent income loss. To find out how our policy responded, read the full case study here.

The key takeaway points are as follows:

  • As businesses become increasingly dependent on their computer systems to perform critical elements of their operations, it comes as no surprise that financial losses due to system outages are becoming both more frequent and severe. However, brokers and their clients shouldn’t focus solely on system outages when it comes to business interruption.
  • Often referred to as consequential reputational harm, business interruption as a result of a data breach is starting to impact many organisations and can be equally as disruptive as a system outage. In such cases, even though an insured may not have suffered any meaningful system downtime, they can suffer serious reputational harm in the eyes of their customers and suppliers, resulting in a subsequent drop-off in income.
  • The financial impact of a cyber incident can be long-lasting and the value of having longer indemnity periods in cyber policies is becoming increasingly apparent. The insured’s policy with CFC had a 12-month indemnity period in place, but many cyber policies only offer 3-6 month indemnity periods as standard. In this case, had the policyholder only had a 3 month indemnity period, they would only have been eligible to claim for three months’ worth of lost profits rather than 12.

Although the insured was based in the US, the importance of having reputational harm cover will become increasingly relevant to most organisations outside of the US as well. The notification requirements introduced by the GDPR, the Notifiable Data Breaches Scheme in Australia and the Digital Privacy Act in Canada will mean that notifying customers of data breaches will become more common and the risk of consequential reputational harm will increase.

Read the full case study here.

We Write That

We know that businesses come in all shapes and sizes, from global multi-nationals to small independent shops, and the goods and services these companies provide vary just as widely.

CFC provides insurance for companies across hundreds of sectors in over 75 countries, and while many of our clients come from what we’d consider traditional industries, we’re no stranger to the unusual.

Here’s a look at just a few of the interesting, and sometimes unexpected risks we write:

Animal Therapy
Who wouldn’t benefit from an animal cuddle? Animal therapists use animals – like horses, dogs, cats, pigs, and birds – to enhance and complement the benefits of traditional therapy, helping patients reduce anxiety, improve self-esteem and address a variety of medical conditions.

These practitioners provide a form of therapy, so they’re required to buy Errors and Omissions insurance along with General Liability, which we can cover in one policy. Animal therapy businesses will be covered under our Allied Health & Medical product.

Tequila Yoga
Yep, you read that right, tequila and yoga. Need we say more? An unconventional take on a typical yoga class, these businesses will offer a fun tipple before, during or after a workout. We guess they call that hair of the downward dog!

The availability of alcohol changes the nature of this otherwise typical fitness club risk. Many insurers shy away from risks with liquor exposures, but offering alcohol – whether tequila, wine or beer – is becoming more common at health and wellness facilities like spas. We recognize that these risks aren’t a typical liquor exposure, and can include liquor liability when underwriting these accounts.

Equine photography
For horse lovers, capturing the connection between owner and animal through photos can be just as important as capturing their yearly family portrait. These photographers specialize in working with horses to produce one-of-kind portraits and action shots.

Photographers like these need to protect themselves from claims arising out of breach of contract and intellectual property infringement. Our Media policy is purpose-built for photographers of any breed to ensure they are protected while capturing that perfect shot!

Free throw, slapshot, and hole-in-one competitions
Whether basketball, hockey or golf, one common tactic to engage eager fans is to offer a lucky spectator the chance to win a large prize (and become a local star) by making a once-in-a-lifetime shot.

We cover the financial costs should there be a particularly talented – or just plain lucky – contestant.

Microblading & Vampire Facials
Innovation abounds in the beauty business. Microblading uses tiny needles in the shape of a blade to apply a semi-permanent tattoo, promising patients better looking brows. Vampire facials (PRP therapy) on the other hand, promise anti-aging benefits by injecting the patient’s own blood back into their face.

Both these and other unique beauty treatments and procedures, are often covered under our Health & Wellness product.

For more about CFC’s insurance products or the industries we cover, click here.


Cyber is one of the hottest topics in insurance and, as a line of business, it’s projected to experience phenomenal growth in the years ahead. But cyber is still a relatively new market, and can be made unnecessarily complex by industry jargon, buzzwords of the day, and a lack of standardization in policy wordings. As such, many companies find themselves confused about how cyber insurance actually works and are skeptical about whether it makes sense for their business to purchase a policy.

To clear up the confusion, here are six of the most common misunderstandings that businesses tend to have about cyber insurance and how to overcome them.


Did you know we’re also running a webinar on this topic? You can sign up here!



The short answer:
No matter how much a company invests in IT security, they will never be 100% secure. The purpose of an insurance policy is to respond in the event that the worst happens.



The short answer:
Even if you outsource your IT, the chances are you’re still liable. Assuming you’ll be successful in claiming back damages from a third-party is a risky gamble.



The short answer:
Any business that relies on a computer system to operate, whether for business critical activities or simply electronic banking, has a very real cyber exposure.



The short answer:
Cyber criminals target the most vulnerable companies, not just the most valuable.



The short answer:
Some overlaps exist (as they do with all lines of insurance) but traditional insurance policies lack the depth and breadth of standalone cyber cover, and won’t come with experienced cyber claims and incident response capabilities.



The short answer:
The number of cyber claims continues to rise, in terms of both frequency and severity, and insurers are paying them.


You can download the full article here.



This month’s cyber claims case study is “Quick Fix Complication.” This tells the story of a US-based healthcare service provider that fell victim to a ransomware attack.

Thanks to CFC’s in-house incident response team, the healthcare service provider managed to avoid a costly notification to their entire patient population and the consequential reputational harm that may have arisen from such a notification.

The key takeaway points are as follows:

  • It is essential that when a ransomware attack or any other cyber event occurs, policyholders should engage their cyber insurance provider as soon as possible. By doing so, a co-ordinated response to the event can be devised and any evidence that may become crucial later on can be preserved from the outset.
  • The cyber insurance market is becoming increasingly competitive, with new carriers regularly entering the market. Businesses should be aware, however, that not all insurers are alike, and the skills and expertise that a well-established, experienced cyber insurer can bring can make a big difference, especially when making a claim.
  • By having our in-house incident response team with specialist knowledge of cyber security and forensics, we were able to prevent the policyholder’s claim costs from escalating and ensured that the organisation’s reputation didn’t suffer unnecessarily. If they had been with a less experienced cyber insurer without a dedicated in-house incident response team, they may have gone ahead with the breach notification process.

You can download the case study here.

Cyber Insurance Guide

As we become increasingly reliant on technology, the potential impact of cyber-related incidents continues to grow. Yet the cyber insurance market is relatively new in comparison with other lines of cover.

This straightforward guide explains how cyber risk and insurance has evolved and how a good cyber policy addresses these modern exposures.

“Cyber” is one of the most talked about topics in business, insurance and media but also seems to be one of the most misunderstood. And with good reason – it is an area associated with jargon, buzz words and what feels like a whole lot of complexity.

This is largely down to the fact that the development of cyber insurance has historically focused primarily on third party privacy exposures. At the same time, traditional insurance policies have tried, but rarely succeeded, at addressing cyber risks; this has left clients believing many exposures are covered when they actually aren’t.

So what should we mean when we talk about cyber risk? What do clients need to protect  themselves against? The real answer is crime. Technology has revolutionised the world for businesses and individuals alike and the past twenty years in particular have seen monumental shifts in human behaviour directly linked to technological advancements. From the way we shop to the way we access bank accounts and book holidays, everyday life has changed fundamentally.

However, while the technology revolution has brought with it unparalleled levels of convenience and choice to millions of people across the globe, it has done the same for the criminal underworld. It is now far easier and far more lucrative for criminals to ply their trade digitally rather than physically. Cyberattacks are the modern crime and cyber insurance is the way to protect against them.

Download and read the full guide here.

Healthcare in Transit

As the elderly population in the US continues to grow, so too does the necessity for non-emergency medical transportation services to cater to this demographic in both urban and rural areas nationwide. The transportation services provided by these companies are vital to the accessibility of routine healthcare services and survival of patients who otherwise would not be able to make it to routine medical appointments. Some of these potential barriers may include a lack of mass transit options and significant distances to their providers. In addition, a patient’s physical disabilities and/or financial circumstances can also further complicate access to these services.

The rising need for these services can be felt even more palpably in rural areas as these geographic regions statistically contain a larger portion of elderly inhabitants than do urban areas where providers are located at significantly closer distances. Further to this point, the geographic isolation of patients residing in rural areas typically carry with them the burden of more chronic health conditions, poverty and consequently, poor health outcomes.

To highlight this point, studies have uncovered that nearly four million Americans have experienced some type of transportation complications which have led to them missing scheduled appointments. This also levies a devastating blow to healthcare providers as no-show rates, in some instances higher than 30% have cost providers more than $150 billion per year.

The impact of patients’ inaccessibility to affordable and convenient transportation services has not gone unnoticed by the Tech industry, however, as we have recently seen on-demand transportation app giants Lyft and Uber make their entrance into the healthcare field. Lyft, working in conjunction with the healthcare information exchange platform Allscripts have partnered to integrate “ride-hailing functionality” into AllScripts database platform which will allow for nearly 200,000 providers to request transportation services for their patients through the Lyft application. Similarly, Uber has recently launched Uber Health which deploys a comparable ride-hailing functionality for the patients of its partner healthcare systems, most notably MedStar and LifeBridge.

Uber and Lyft’s presence in healthcare transportation may well prove to be an effective remedy to an ailing community of patients who otherwise would have less accessibility to healthcare appointments and quality outcomes. However, this does not come without the gleaming risk exposure that current and longstanding emergency and non-emergency medical transportation services are faced with on each and every patient transport. Perhaps the most prevalent source of claims faced by these companies are the result of injuries sustained by patients during the loading and unloading phases of the transport. As many of the patients requiring these services have significant physical limitations, this puts the onus on the company to ensure that all employees have been properly trained to perform these tasks. Other sources of claims in this class which may lead to a sustained bodily injury by the patient(s) in transit include but are not limited to collisions with other vehicles or objects, failing to secure or improperly securing a patient to their seat, failing to properly secure wheelchair bound patients, the improper use of chair lifts and potentially leaving patients in extreme or unsafe conditions unattended.

With these risk factors in mind, it will be the responsibility of tech companies like Lyft and Uber and surely many others who follow suit to ensure that they are employing competent, well-trained and vetted employees who are only providing transportation services to patients which are in line with the safety installations of the vehicle they are operating, such as four-point tie downs for wheel chair and stretcher bound patients.

Overall, this industry class will only continue to be relied upon as a necessity in the years to come and it is primarily important for providers in this space to hold its employees to the highest standards of training and risk mitigation. Non-emergency transit appointments have the potential to quickly escalate into emergency transports due to an unexpected change in the patient’s condition along the way which, if not properly handled, can lead to a delay in services that may subsequently lead to a loss of life. It is also crucial for insurance brokers who will be placing coverage for non-emergency medical transit companies to fully understand the risk exposure presented by these companies and ensure that the carrier will not be excluding claims for some of the fundamental services provided, such as loading and unloading.

California Consumer Privacy Act of 2018

At the end of June, California state legislators passed the California Consumer Privacy Act of 2018. Coming in to effect on January 1st 2020, the act is set to bring in a number of data protection requirements and new consumer rights similar to those enacted by the EU’s General Data Protection Regulation.

However, amid all the noise about the bill’s passing, one crucial area of the act appears to have been given surprisingly little attention – California has established a minimum cash amount that victims of a data breach could expect to receive should they pursue damages.

The act stipulates that for consumers whose unencrypted or unredacted personal information has been subject to unauthorised access, exfiltration, theft or disclosure, as a result of a business’s failure to implement and maintain adequate security standards, will be able to claim damages of $100 as a minimum and $750 as a maximum per incident or actual damages, whichever is greater.

The law will apply to organisations that are run for profit and do business in California and that meets one or more of the following thresholds:

  • Annual gross revenues in excess of $25 million;
  • Annually buy, sell or share the personal information of 50,000 or more consumers, households or devices;
  • Generate 50% or more of annual revenues from the selling of consumers’ personal information.

This particular part of the act marks a change of fundamental importance for a number of reasons. First, it will almost certainly increase the financial exposure that businesses face as a result of a data breach. Now, even a relatively small breach of, say, 1,000 records could result in statutory damages of $100,000-$750,000 being claimed.

Secondly, it is likely to lead to a big uptick in class action cases in general. To date, claimants in data breach class actions have often struggled to demonstrate standing as it can be difficult to prove what, if any, financial harm might be experienced as a consequence of a breach. For smaller breaches, this has meant less impetus on the part of plaintiff attorneys to bring class actions.

But with the law now enshrining minimum statutory damages for certain data breaches and with affected consumers knowing that they might stand to receive up to $750, we could see a proliferation of class action cases when the act comes into force from opportunistic lawyers looking to get involved in lucrative cases. Importantly, this could lead to a surge in class actions resulting from smaller breaches in particular.

Finally, the act sets a precedent. Back in 2003, California was the first state to introduce breach notification laws. Now, just 15 years later, every state in the union has implemented such laws. Could this act mark the beginning of minimum statutory damages being introduced elsewhere? If history is anything to go by, it shouldn’t come as a surprise if similar acts become more widespread.

For more further Information:

Insurance and the digital health revolution

Timothy Boyce, US Healthcare Team Leader, CFC

Healthcare is about to change beyond recognition. A host of technologies are uniting to transform the way we treat patients and develop cures – from artificial intelligence to remote patient monitoring and interactive telemedicine services.


According to Rock Health, $1.6bn of funding flowed into the eHealth sector during the first quarter of 2018, exceeding comparable investment marks for the previous two years. The principle driver, deregulation. In the last twelve months we’ve seen the formation of the Chronic Care Act, which will pave the way for greater use of technology in healthcare, and the VETS Act which allows providers to treat veterans across state lines using telehealth. The next segment will be the Opioid Crisis Act, which promises to put an end to a crisis with the assistance of telemedicine, digital pills and analytics tools.


The FDA have also played a key role in the rise of digital healthcare. In their budget for 2019, Scott Gottlieb cited that ‘we’re seeking to advance a new paradigm in the regulation of digital health technology that I believe will allow us to grow this promising field more quickly’. This of course was in reference to their Pre-Cert Pilot Program, which will aim to look at the software and/or digital health technology developer, rather than primarily at the traditional medical product/device. Since then they’ve also approved a ‘trackable’ pill which is linked to a patch and a smartphone to detect medication compliance.


We’ve even seen 450,000 women in England who were not invited for a routine breast cancer screening because of a ‘computer error’.


As the healthcare and technology sectors continue to intertwine, practitioners and companies operating in the digital health space will start to experience a wider range of risks. From misdiagnosis of medical conditions due to the distortion of x-ray images sent using store-and-forward technology, to incorrect readings of glucose monitors leading to patient harm. We’ve even seen 450,000 women in England who were not invited for a routine breast cancer screening because of a ‘computer error’. The risks are present, real and getting harder to predict. A recent study cited that the FDA reported receiving information on 260 incidents with potential for patient harm, including 44 injuries and six deaths, all arising from technology-related healthcare incidents. It was also reported that almost 25% of 176,409 medication errors notified to US Pharmacopeia were technology-related.


So what does this mean for the insurability of practitioners and companies operating in eHealth? Well, in short it becomes problematic. Medical malpractice insurers are rightly concerned about the potential for patient harm arising from technology-related errors, not to mention the lack of credible data to nullify their concerns for it eroding their profit margin. As a result, their policy triggers have stayed eye-wateringly static despite the global rise of technology within healthcare. Technology E&O insurers will only extend to losses arising from ‘technology activities’ and are loathe to offer any form of bodily injury whether it’s on a primary or contingent basis, and cyber insurers, quite simply, explicitly exclude all forms of bodily injury.


A dearth of affirmative coverage is therefore present in the insurance industry for traditional healthcare providers and digital health companies alike. This has already and will continue to lead to grey areas being present within insurance placements. The knock-on effect of this will be finger-pointing between three or more insurers over the proximate causation of the loss: was it a healthcare incident, technology error or cyber event? Absent any case law, and despite the litany of disclaimers, clients will then subsequently be required to pay three different deductibles and may even run the risk of having no coverage whatsoever. The debate will then intensify about who makes the ultimate decision on patient care, the technology or the traditional healthcare provider?


With these sentiments in mind, the insurance industry is on the cusp of a more modernized approach for healthcare providers. As the shift in healthcare delivery continues, it will become increasingly crucial for agents and wholesale brokers to advise their clients of these potential pitfalls in standard insurance policies, and to source bespoke insurance products tailored to meet clients’ refreshed needs and demands.


If you would like to download, print or share this article, you can do so here.