Tag Archives: Columbia Casualty

Failure To Follow Minimum Required Practices

I  have written several times about the fight between Cottage Health System and Columbia Casualty, a division of CNA Insurance.

In 2013 Cottage’s systems were breached and the private information of thousands of patients was publicly disclosed.  Their insurance company paid $4.125 million for costs related to the breach, including a class action lawsuit.

That is the end of the good news.  Last year Columbia filed suit against Cottage demanding their money back.  They cited a number of reasons.

First, they said that Cottage failed to follow  minimum required practices, which is a coverage exclusion in the policy.  Columbia said that Cottage’s failure “to continuously implement the procedures and risk controls identified in the Insured’s application means that they don’t need to cover Cottage’s losses.

Translated from the original legalese, this means that Cottage claimed that they had implemented certain security policies and operational procedures when they completed their insurance application and in fact, they did not.  Or, they did have those policies and procedures, but they did not actively follow them.

Some of the things that Columbia said that Cottage claimed they did but did not include:

  • Replace factory default passwords
  • Regularly patch their systems
  • Exercise due diligence over its information security management vendor’s safeguards

Columbia says that even if the hospital did not intend to lie, the “misrepresentation or omission of material fact” is enough, under the terms of the policy, to cancel the policy.  So, they are saying, not only do they not want to pay, but they want to cancel the policy all together.

Let’s separate this into two conversations.

First, if Cottage Health really did not change default passwords, promptly patch their systems, or have an effective vendor management program, then they are (a) pretty typical and (b) lucky that it only cost them $4 million to recover.  Those are pretty basic things that everyone better be doing,

On the other hand, and this is much more important, it points to the complexity of cyber risk insurance.

How many people, especially in a relatively small business, would understand what failure to follow minimum required practices means.  As I understand, the term was not further defined in the policy.

Although the article in National Law Review says the lawsuit was recently filed, it was actually filed over a year ago.  Hopefully that does not point to a long editorial cycle on the web site’s part.  Last I  heard, the complaint has been withdrawn and the two parties are trying to work out a compromise out of court.

However this turns out, it is unlikely that Cottage will be receiving any more checks from Columbia as the costs of this breach may continue and in fact, they may have to find a new insurance company.

Trying to find a new insurance company after this “dispute” with their current insurance company has been plastered all over the news may not be easy.

The watch word here is BEWARE!  The world of cyber risk insurance is somewhat like the Wild Wild West.  It is definitely the world of buyer beware.

Information for this post came from National Law Review.


Cyber Insurance Will Not Make Up For Your Sins

Columbia Casualty paid Cottage Health System a little over $4 million after a breach in December 2013.  Columbia wants their $4 million back, plus attorney’s fees and expenses because, they say, Cottage “did not follow minimum required practices for protecting information and did not truthfully attest to its security controls” (see article).

Here is more of the story.

Cottage Health, based in Santa Barbara, hired inSync to put patient records in a secure manner online.  The details of what this means is not clear.  However, it appears that inSync did not configure things correctly, making the records available publicly.

Inititally, it was thought that 32,000 patients’ information was compromised, but later that number was raised to around 50,000.

The breach lasted between October 8th and December 2, 2013, a short time, but long enough for Google to index the records.  The information compromised was health information – diagnoses, lab results and related things.  It did not include Social Security Numbers or other personal information.  The information released is considered protected health information or PHI and that release is a HIPAA violation.  In addition, Cottage was hit with a class action lawsuit.

Anyway, back to the $4 million.

Cottage is blaming inSync for the lack of protection.  While this may technically true, for purposes of both HIPAA and Columbia’s lawsuit, that fact is unimportant.  Cottage can certainly go back to inSync and sue them for damages.  Assuming their contract allows for that.

All this is meant to point out that, one more time, supply chains can come back and bite you in very sensitive body parts.

Outsourcing does not absolve you of ANY liability.  It may make someone else additionally liable, but it does not remove your liability.

If you don’t manage your outsourcers, you could be in worse shape than if you did it yourself.

And, if you don’t manage your outsource contracts, you actually may have both the cost of outsourcing and ALL of the liability.

That’s not a pleasant thought.