Clueless Clause: Insurer Cites Lax Security in Challenge to Cottage Health Claim

'Permitted by law', under 'Legal'

In-brief: In what may become a trend, an insurance company is denying a claim from a California healthcare provider following the leak of data on more than 32,000 patients. The insurer, Columbia Casualty, charges that Cottage Health System did an inadequate job of protecting patient data. 

There wasn’t anything particularly surprising about the news, in December, 2013, that confidential data on patients at Cottage Health System had been exposed on the Internet.

Indeed, in light of subsequent attacks on healthcare industry firms like  Athena (80 million records exposed) and Premera, the data leak at California-based Cottage, which involved 32,755 patients, looks like a rounding error. But the incident may prove to have an impact that far exceeds the number of individuals affected, now that Cottage’s insurer, Columbia Casualty Insurance is denying an insurance claim linked to the breach and citing Cottage Health’s lax security practices as the reason.

In a complaint filed in U.S. District Court in California, Columbia alleges that the breach occurred because Cottage and a third party vendor, INSYNC Computer Solution, Inc. failed to follow “minimum required practices,” as spelled out in the policy. Among other things, Cottage “stored medical records on a system that was fully accessible to the internet but failed to install encryption or take other security measures to protect patient information from becoming available to anyone who ‘surfed’ the Internet,” the complaint alleges.

[Read more Security Ledger coverage of cyber insurance here.]

The breach in question affected patients at a string of southern California medical facilities including Goleta Valley Cottage Hospital, Santa Ynez Valley Cottage Hospital and Santa Barbara Cottage Hospital. It lasted for almost two months, starting in October, 2013, and involved data going back as far as 2009, according to published reports. Among the data compromised by the leak were patient names and addresses, dates of birth and some protected health information related to diagnosis, lab results and procedures performed.

Columbia-v-Cottage
Columbia alleges Cottage Health failed to meet minimum standards for protecting patient data.

While Cottage was not attacked, per se, the company allowed the data in question to be accessible from the public Internet and Google’s search crawlers, making it difficult to know who may have had access to it during the period it was exposed.

Insurance may be boring- but its a hot topic right now among companies looking to hedge their risks of a damaging cyber attack.
Insurance may be boring- but its a hot topic right now among companies looking to hedge their risks of a damaging cyber attack.

Cottage is seeking more than $4 million in damages related to the incident as well as a Department of Justice investigation of possible violations of HIPAA, the federal health information privacy law. Columbia is looking to get reimbursed for anything it pays out related to the incident.

Among the failures cited by Columbia were Cottage’s “failure to continuously implement the procedures and risk controls identified in its application” for the coverage. Those controls include configuration and change management for its IT systems as well as regular patch management. Cottage also failed to regularly “re-assess its information security exposure and enhance risk controls” and to “deploy a system to detect unauthorized access or attempts to access sensitive information stored on its servers.”

More organizations are looking to hedge their risks with cyber insurance. Data from AON’s Global Risk Insight Platform (GRIP) – a repository of insurance placement data – suggests that the cyber insurance market growing at 38% annually.

Healthcare organization’s are particularly interested in coverage, given the growing interest of sophisticated hacking groups in the wealth of protected data they typically hold: everything from Social Security Numbers and medical diagnoses to credit cards.

But the cyber insurance market is still young, and insurers have incomplete data on cyber risk, experts note. To hedge their own lack of hard, actuarial data, many insurers write liberal exclusions into their policies to make sure they’re not on the hook for lax policies and procedures by insured firms.

8 Comments

  1. Pingback: » Fuite de données : le n’importe quoi n’est plus de mise, dit un assureurConnaissances Informatiques

  2. Pingback: An insurance company is denying a claim from a California healthcare provider following the leak of data on more than 32,000 patients. The insurer, Columbia Casualty, charges that Cottage Health System did an inadequate job of protecting patient data | te

  3. Pingback: Insurer tells hospitals: You let hackers in, we’re not bailing you out | TechDiem.com

  4. Pingback: ¿Hasta que punto es seguro un Ciberseguro? | Observatorio de Seguridad

  5. Pingback: Insurer tells hospitals: You let hackers in, we're not bailing you out - Secure Channels

  6. Pingback: #HackerKast 37: More router hacking, StegoSploit, XSS Polyglot and Columbia Casualty Insurance refuses to pay Cottage Health | WhiteHat Security Blog

  7. I think this sets a reasonable goal in that a company is expected to do what it claims it will do to reasonably protect itself from damage as a result of cyber breaches. In this complaint, it made a number of representations to the insurance company in order to get coverage, of which some of them either were false to begin with (that they claimed they were doing, but didn’t really do9) or weren’t followed (stopped doing what they were doing).

    Given that, say, the software was defective and could be attacked, then the hospital wouldn’t be liable and the insurer is on the hook, but you’re supposed to act in a reasonable and prudent manner, e.g. when I filed a claim with my insurance when my car was stolen about ten years ago, the first question the insurance company asked was, “Did you leave your keys in the car?” (I didn’t). Failing to take your keys is clearly not prudent and the insurer can rightfully refuse to pay.

    Here, the hospital more-or-less did the equivalent of leaving the keys in the car: they left unencrypted personal data belonging to their customers on a anonymous FTP system accessible from the Internet.

    • Agreed – I think these types of cases will do more to improve security practices than just about anything else in that they speak directly to the cost of doing business and make real the costs of lax security (beyond mea culpas and press releases).