In-brief: In what may become a trend, an insurance company is denying a claim from a California healthcare provider following the leak of data on more than 32,000 patients. The insurer, Columbia Casualty, charges that Cottage Health System did an inadequate job of protecting patient data.
There wasn’t anything particularly surprising about the news, in December, 2013, that confidential data on patients at Cottage Health System had been exposed on the Internet.
Indeed, in light of subsequent attacks on healthcare industry firms like Athena (80 million records exposed) and Premera, the data leak at California-based Cottage, which involved 32,755 patients, looks like a rounding error. But the incident may prove to have an impact that far exceeds the number of individuals affected, now that Cottage’s insurer, Columbia Casualty Insurance is denying an insurance claim linked to the breach and citing Cottage Health’s lax security practices as the reason.
In a complaint filed in U.S. District Court in California, Columbia alleges that the breach occurred because Cottage and a third party vendor, INSYNC Computer Solution, Inc. failed to follow “minimum required practices,” as spelled out in the policy. Among other things, Cottage “stored medical records on a system that was fully accessible to the internet but failed to install encryption or take other security measures to protect patient information from becoming available to anyone who ‘surfed’ the Internet,” the complaint alleges.
The breach in question affected patients at a string of southern California medical facilities including Goleta Valley Cottage Hospital, Santa Ynez Valley Cottage Hospital and Santa Barbara Cottage Hospital. It lasted for almost two months, starting in October, 2013, and involved data going back as far as 2009, according to published reports. Among the data compromised by the leak were patient names and addresses, dates of birth and some protected health information related to diagnosis, lab results and procedures performed.
While Cottage was not attacked, per se, the company allowed the data in question to be accessible from the public Internet and Google’s search crawlers, making it difficult to know who may have had access to it during the period it was exposed.
Cottage is seeking more than $4 million in damages related to the incident as well as a Department of Justice investigation of possible violations of HIPAA, the federal health information privacy law. Columbia is looking to get reimbursed for anything it pays out related to the incident.
Among the failures cited by Columbia were Cottage’s “failure to continuously implement the procedures and risk controls identified in its application” for the coverage. Those controls include configuration and change management for its IT systems as well as regular patch management. Cottage also failed to regularly “re-assess its information security exposure and enhance risk controls” and to “deploy a system to detect unauthorized access or attempts to access sensitive information stored on its servers.”
More organizations are looking to hedge their risks with cyber insurance. Data from AON’s Global Risk Insight Platform (GRIP) – a repository of insurance placement data – suggests that the cyber insurance market growing at 38% annually.
Healthcare organization’s are particularly interested in coverage, given the growing interest of sophisticated hacking groups in the wealth of protected data they typically hold: everything from Social Security Numbers and medical diagnoses to credit cards.
But the cyber insurance market is still young, and insurers have incomplete data on cyber risk, experts note. To hedge their own lack of hard, actuarial data, many insurers write liberal exclusions into their policies to make sure they’re not on the hook for lax policies and procedures by insured firms.