Health system’s data breach insurance claims get challenged

Health system’s data breach insurance claims get challenged

Health system “provided false responses” to a risk control self assessment

What happens when a health system with liability insurance fails to secure protected health information of its patients and is hit with a $4.13 million class action settlement for it? The civil actions of one insurance company are suggesting the claims money doesn’t come easy if you fail to follow minimum required security practices.

The three-hospital Cottage Health System in California back in December 2013 notified 32,755 of its patients whose protected health information had been compromised after the health system and one of its third-party vendors, inSync, stored unencrypted medical records on a system accessible to the Internet. Resultantly, the data may have been publicly available on search engines like Google.

[See also: HIPAA security gaffe puts PHI on Google.]

The health system, which had a liability policy with Columbia Casualty Company, is now being challenged by the insurance company in court. The Chicago-based insurance company, which operates as a subsidiary of Continental Casualty Company, is challenging the claims of Cottage Health System, which thus far total nearly $4.13 million settlements filed by patients, saying the health system “provided false responses” to a risk control self assessment when it applied for a liability policy.

Columbia officials in a complaint filed this May point to an exclusion pertaining to failure to follow minimum required practices. This exclusion, they write, “precludes coverage for any loss based upon, directly or indirectly, arising out of, or in any way involving ‘(a)ny failure of an Insured to continuously implement the procedures and risk controls identified in the Insured’s application.'”

The health system’s data breach, as Columbia officials allege, was caused by Cottage’s “failure to regularly check and maintain security patches on its systems, its failure to regularly re-assess its information security exposure and enhance risk controls, its failure to have a system in place to detect unauthorized access or attempts to access sensitive information stored on its servers and its failure to control and track all changes to its network.”
Read full article>>