- It is not uncommon for healthcare organizations to create a healthcare cyber policy with an insurance company, detailing what will take place should a data breach happen. However, if such policies are not followed, a covered entity might not necessarily be eligible to receive payment after the incident.
California-based Cottage Health System allegedly broke its healthcare cyber policy that it had in place with Columbia Casualty, a unit of Chicago-based CNA. Columbia Casualty had issued a NetProtect360 claims-made policy to Cottage Health, according to Business Insurance. Any settlement though was subject to a complete reservation of rights.
Cottage Health had 32,500 confidential medical records accessed between Oct 8, 2013, and Dec. 2, 2013, and reported that the healthcare data breach was due to information being stored on a system that was fully accessible to the Internet, yet the necessary security measures - like encryption - were not installed.
Originally, a class action lawsuit was filed against Cottage Health in January 2014, and a $4.1 million settlement received preliminary court approval in December 2014. At the time, Columbia Casualty agreed to fund the settlement, subject to a complete reservation of rights.
There is now a counter suit, though, with Columbia Casualty claiming that it does not need to pay the money. According to Columbia Casualty Co. v. Cottage Health System, the insurance company was not obligated to provide Cottage with a defense or indemnification in the matter. This is because the healthcare cyber policy precludes coverage for “failure to follow minimum required practices.”
Upon information and belief, the data breach at issue in the Underlying Action and the DOJ Proceeding was caused by Cottage’s failure to regularly check and maintain security patches on its systems, its failure to regularly re-assess its information security exposure and enhance risk controls, its failure to have a system in place to detect unauthorized access or attempts to access sensitive information stored on its servers and its failure to control and track all changes to its network to ensure it remains secure, among other things.
The court case documents further explain that Columbia “seeks declaration that it has no duty to defend or indemnify Cottage in the Underlying Action or the DOJ Proceeding.”
Upon information and belief, the data breach at issue in the Underlying Action and the DOJ Proceeding was caused as a result of File Transfer Protocol settings on Cottage’s internet servers that permitted anonymous user access, thereby allowing electronic personal health information to become available to the public via Google’s internet search engine.
The complaint also outlines the application that Cottage Health was required to fill out in order to receive a healthcare cyber policy. The “Risk Control Self Assessment” asked questions such as:
- Do you check for security patches to your systems at least weekly and implement them within 30 days?
- Do you replace factory default settings to ensure your information security systems are securely configured?
- Do you re-assess your exposure to information security and privacy threats at least yearly, and enhance your risk controls in response to changes?
- Do you outsource your information security management to a qualified firm specializing in security or have staff responsible for and trained in information security?
According to the complaint, Cottage Health answered falsely, and CNA is therefore entitled to reimbursement of defense and settlement payments in the case.