Liability Insurer Challenging Claims Paid Over Health Data Breach
June 2, 2015 in News
A liability insurance company is seeking to recoup $4.13 million in insurance claims paid to a California-based health system that suffered a health data breach in 2013, Healthcare IT News reports (McCann, Healthcare IT News, 6/1).
Background on Data Breach
In December 2013, Cottage Health System in Santa Barbara, Calif., notified 32,755 patients that their health data might have been compromised after a third party vendor — inSync — removed security protections limiting outside access to patient records without notifying the hospital.
The data included information on patients who were treated between Sept. 29, 2009, and Dec. 2, 2013, at Cottage facilities in:
- Santa Barbara; and
- Santa Ynez.
Information contained on the site included patients’:
- Lab test results; and
- Procedures performed (iHealthBeat, 12/16/13).
Cottage Health System was hit with a class-action lawsuit that resulted in a $4.13 million settlement, which the health system’s liability insurer had agreed to pay.
In May, the Chicago-based Columbia Casualty Company filed a complaint alleging the health system “provided false responses” to a risk control self-assessment in its liability policy application.
The complaint attributes the data breach to Cottage’s failure to:
- Conduct regular security checks and maintain security patches on its system;
- “Control and track all changes to its network”;
- “Have a system in place to detect unauthorized access or attempts to access sensitive information stored on its servers”; and
- “Regularly re-assess its information security exposure and enhance risk controls.”
The complaint states that an exclusion in its policy agreement “precludes coverage for any loss based upon, directly or indirectly, arising out of, or in any way involving ‘(a)ny failure of an Insured to continuously implement the procedures and risk controls identified in the Insured’s application.’”
Therefore, Columbia argues it should be reimbursed the full $4.13 million that it paid to Cottage, as well as attorney fees and related expenses (Healthcare IT News, 6/1).