Columbia Casualty paid Cottage Health System a little over $4 million after a breach in December 2013. Columbia wants their $4 million back, plus attorney’s fees and expenses because, they say, Cottage “did not follow minimum required practices for protecting information and did not truthfully attest to its security controls” (see article).
Here is more of the story.
Cottage Health, based in Santa Barbara, hired inSync to put patient records in a secure manner online. The details of what this means is not clear. However, it appears that inSync did not configure things correctly, making the records available publicly.
Inititally, it was thought that 32,000 patients’ information was compromised, but later that number was raised to around 50,000.
The breach lasted between October 8th and December 2, 2013, a short time, but long enough for Google to index the records. The information compromised was health information – diagnoses, lab results and related things. It did not include Social Security Numbers or other personal information. The information released is considered protected health information or PHI and that release is a HIPAA violation. In addition, Cottage was hit with a class action lawsuit.
Anyway, back to the $4 million.
Cottage is blaming inSync for the lack of protection. While this may technically true, for purposes of both HIPAA and Columbia’s lawsuit, that fact is unimportant. Cottage can certainly go back to inSync and sue them for damages. Assuming their contract allows for that.
All this is meant to point out that, one more time, supply chains can come back and bite you in very sensitive body parts.
Outsourcing does not absolve you of ANY liability. It may make someone else additionally liable, but it does not remove your liability.
If you don’t manage your outsourcers, you could be in worse shape than if you did it yourself.
And, if you don’t manage your outsource contracts, you actually may have both the cost of outsourcing and ALL of the liability.
That’s not a pleasant thought.