IT security breaches have become so commonplace in recent years that they barely seem to raise an eyebrow anymore: Target, Bank of America, I.R.S., the list goes on. With that rise, the claims on Cybersecurity Insurance have risen as well.
But a recent case in California—where Columbia Casualty is denying a claim by Cottage Health Systems, citing its lax network precautions for allowing the leak of some 32,000 patients’ confidential information—should put banking, healthcare, and PCI industry executives on edge.
The 2013 incident ultimately led to a $4.125 million settlement in a class action lawsuit that charged Cottage with violating California’s Confidentiality of Medical Information Act (“CMIA”).
However, earlier this month Columbia filed a complaint in a California U.S. District Court that alleges Cottage and a third party vendor, INSYNC Computer Solution, Inc., failed to follow the “minimum required practices,” spelled out in the policy.
Medical records were “stored on a system that was fully accessible to the Internet but failed to install encryption or take other security measures to protect patient information from becoming available to anyone who ‘surfed’ the Internet,” according to court documents.
The health company was not the victim of cyberattack, but rather it failed to keep the data shielded from the public Internet and Google search tools.
Cottage is pursuing over $4 million in damages related to the case and the Department of Justice investigation of possible HIPAA violations. Columbia is looking to get reimbursed for anything paid out because of it.
Other failures in the complaint cite Cottage's inadequate controls for configuration and change management for its IT systems as well as regular patch management. Further more, it says. Cottage did not regularly “re-assess its information security exposure and enhance risk controls” nor did it “deploy a system to detect unauthorized access or attempts to access sensitive information stored on its servers.”
William DePalma, a managing partner at Compass IT Compliance based in North Providence, R.I., sees this case as part of a larger trend and one data intensive organizations are behooved to take notice of:
“With the healthcare industry experiencing double-digit growth—and firms eager to get a bite of the cyber insurance market—we can expect to see more and more incidents like this. “My advice is for companies to make sure they have crossed their t’s and dotted their i’s when it comes to data security. It can mean the difference between business as usual and catastrophe.”