Tag Archives: Cottage Health

Be Careful When Completing Those Cyber Insurance Questionnaires

I have written about the troubles of Cottage Health System in California.  They were breached and the protected Health Information of at least 32,000 patients was compromised.

The situation was that they had outsourced the storage of patient records to InSync, which by itself is not a problem, but InSync made this data available on the Internet, unencrypted, where it was indexed by Google.

$4 million later, the hospital submitted bills to their insurance company, which paid the bills.

Except.

The insurance company later came back and said that the hospital lied when it filled out a risk control questionnaire and as a result, they want their money back.  Plus expenses and legal fees.  That is going back and forth and will probably be settled in private.

Now the California Attorney General has decided that Cottage broke the law by exposing patient data in two breaches, including the one above.

The state is fining Cottage $2 million (which their insurance carrier is not likely to pay) and also requiring them to make a number of changes to their previously non-existent cyber security program.  This includes risk assessments, vulnerability scans, training, policies and several other items.

The state said:

“Cottage was running outdated software, failing to apply software patches, not resetting default configurations, not using strong passwords, failing to limit access to sensitive PII, and failing to conduct regular risk assessments, among other things,”

Had Cottage not lied on their insurance questionnaire, the carrier would likely have paid for all of this making Christmas much merrier for the hospital administration.

Of course, if they had a good cyber security program they might not even have gotten breached, which would have been good news all around.

Cottage Health is not some huge organization, so having to come up with $6 million plus spending money on doing the things the state is making them do will probably put a significant crunch on their finances.

And it started from the hospital administration not doing what they said they were doing, on the insurance risk questionnaire.

Information for this post came from Healthcare IT News and Health IT Security.

Facebooktwitterredditlinkedinmailby feather

Failure To Follow Minimum Required Practices

I  have written several times about the fight between Cottage Health System and Columbia Casualty, a division of CNA Insurance.

In 2013 Cottage’s systems were breached and the private information of thousands of patients was publicly disclosed.  Their insurance company paid $4.125 million for costs related to the breach, including a class action lawsuit.

That is the end of the good news.  Last year Columbia filed suit against Cottage demanding their money back.  They cited a number of reasons.

First, they said that Cottage failed to follow  minimum required practices, which is a coverage exclusion in the policy.  Columbia said that Cottage’s failure “to continuously implement the procedures and risk controls identified in the Insured’s application means that they don’t need to cover Cottage’s losses.

Translated from the original legalese, this means that Cottage claimed that they had implemented certain security policies and operational procedures when they completed their insurance application and in fact, they did not.  Or, they did have those policies and procedures, but they did not actively follow them.

Some of the things that Columbia said that Cottage claimed they did but did not include:

  • Replace factory default passwords
  • Regularly patch their systems
  • Exercise due diligence over its information security management vendor’s safeguards

Columbia says that even if the hospital did not intend to lie, the “misrepresentation or omission of material fact” is enough, under the terms of the policy, to cancel the policy.  So, they are saying, not only do they not want to pay, but they want to cancel the policy all together.

Let’s separate this into two conversations.

First, if Cottage Health really did not change default passwords, promptly patch their systems, or have an effective vendor management program, then they are (a) pretty typical and (b) lucky that it only cost them $4 million to recover.  Those are pretty basic things that everyone better be doing,

On the other hand, and this is much more important, it points to the complexity of cyber risk insurance.

How many people, especially in a relatively small business, would understand what failure to follow minimum required practices means.  As I understand, the term was not further defined in the policy.

Although the article in National Law Review says the lawsuit was recently filed, it was actually filed over a year ago.  Hopefully that does not point to a long editorial cycle on the web site’s part.  Last I  heard, the complaint has been withdrawn and the two parties are trying to work out a compromise out of court.

However this turns out, it is unlikely that Cottage will be receiving any more checks from Columbia as the costs of this breach may continue and in fact, they may have to find a new insurance company.

Trying to find a new insurance company after this “dispute” with their current insurance company has been plastered all over the news may not be easy.

The watch word here is BEWARE!  The world of cyber risk insurance is somewhat like the Wild Wild West.  It is definitely the world of buyer beware.

Information for this post came from National Law Review.

 

Facebooktwitterredditlinkedinmailby feather

Cyber Insurance Will Not Make Up For Your Sins

Columbia Casualty paid Cottage Health System a little over $4 million after a breach in December 2013.  Columbia wants their $4 million back, plus attorney’s fees and expenses because, they say, Cottage “did not follow minimum required practices for protecting information and did not truthfully attest to its security controls” (see article).

Here is more of the story.

Cottage Health, based in Santa Barbara, hired inSync to put patient records in a secure manner online.  The details of what this means is not clear.  However, it appears that inSync did not configure things correctly, making the records available publicly.

Inititally, it was thought that 32,000 patients’ information was compromised, but later that number was raised to around 50,000.

The breach lasted between October 8th and December 2, 2013, a short time, but long enough for Google to index the records.  The information compromised was health information – diagnoses, lab results and related things.  It did not include Social Security Numbers or other personal information.  The information released is considered protected health information or PHI and that release is a HIPAA violation.  In addition, Cottage was hit with a class action lawsuit.

Anyway, back to the $4 million.

Cottage is blaming inSync for the lack of protection.  While this may technically true, for purposes of both HIPAA and Columbia’s lawsuit, that fact is unimportant.  Cottage can certainly go back to inSync and sue them for damages.  Assuming their contract allows for that.

All this is meant to point out that, one more time, supply chains can come back and bite you in very sensitive body parts.

Outsourcing does not absolve you of ANY liability.  It may make someone else additionally liable, but it does not remove your liability.

If you don’t manage your outsourcers, you could be in worse shape than if you did it yourself.

And, if you don’t manage your outsource contracts, you actually may have both the cost of outsourcing and ALL of the liability.

That’s not a pleasant thought.

 

Facebooktwitterredditlinkedinmailby feather