Insurer Seeks Breach Settlement RepaymentAlleges Client Failed to Follow 'Minimum Practices'
Columbia Casualty, a cyber-insurer that paid more than $4 million, plus defense attorney expenses, to settle a class action suit that was filed against its client, Cottage Health, in the wake of a 2013 data breach is now trying to claw back the payments.
In a lawsuit filed on May 7 in the U.S. District Court for the central district of California, Columbia Casualty says it is seeking reimbursement of "defense and settlement payments" from Cottage Health because the California healthcare provider allegedly "failed to follow minimum required practices" as required under its insurance policy.
More legal disputes between cyber-insurers and their clients will arise in the aftermath of class action lawsuits and settlements after breaches, predicts security attorney Stephen Wu of Silicon Valley Law Group in San Jose, Calif., who is not involved in the Cottage Health lawsuit. "There is a lot of money involved in these cases," he says.
He advises organizations buying cyber-insurance coverage to read the fine print in the contract and make sure they can meet all requirements.
Columbia Casualty alleges that Cottage Health's application for coverage under the Columbia policy "contained misrepresentations and/or omissions of material fact that were made negligently or with intent to deceive concerning Cottage's data breach risk controls," according to the insurer's lawsuit.
In a statement provided to Information Security Media Group, Cottage Health, which owns five hospitals, offered only a brief response: "We were recently served with this lawsuit and are reviewing it with counsel. Based on our preliminary review, we do not believe the suit has merit."
An attorney representing Columbia Casualty in the lawsuit declined to comment on the case.
At the center of the dispute is a 2013 breach that exposed on the Internet protected health information of more than 32,500 patients of Cottage Health, allegedly due to a lapse in protection of a server by one of the healthcare provider's business associates, INSYNC Computer Solutions.
Individuals affected by the data breach filed a class action lawsuit against Cottage Health and INSYNC in January 2014, and a settlement was reached in December 2014.
Among other claims, the class action suit alleged that the breach occurred because Cottage Health and/or INSYNC failed to install encryption or take other security measures to protect patient information from becoming available to anyone who surfed the Internet, according to the court documents filed by Columbia Casualty.
The breach was discovered by Cottage Health on Dec. 2, 2013, after the organization "received a voice mail message informing it that a file containing personal health information of certain patients may be available on Google," according to a Dec. 11, 2013, letter sent by the organization's attorney to California Attorney General Kamala D. Harris.
INSYNC did not immediately respond to an ISMG request for comment on the dispute.
Cause of Breach
In its lawsuit against Cottage Health, Columbia Casualty alleges that several factors contributed to the data breach.
"The data breach at issue ... was caused by Cottage's failure to continuously implement the procedures and risk controls identified in its [insurance] application, including, but not limited to, its failure to replace factory default settings, its failure to ensure that its information security systems were securely configured, among other things," the insurer alleges.
Columbia Casualty also alleges that the breach "was caused as a result of File Transfer Protocol settings on Cottage's Internet servers that permitted anonymous user access, thereby allowing electronic personal health information to become available to the public via Google's Internet search engine."
Additionally, the insurer alleges that contributing to the breach was "Cottage's failure to regularly check and maintain security patches on its systems, its failure to regularly re-assess its information security exposure and enhance risk controls, [and] its failure to have a system in place to detect unauthorized access or attempts to access sensitive information stored on its servers and its failure to control and track all changes to its network to ensure it remains secure, among other things."
Lessons to Learn
Covered entities and business associates can learn several lessons from this dispute between a cyber-insurer and a healthcare provider, says Wu, the security attorney.
"When you obtain cyber-insurance, read carefully the policy to make sure you are prepared to follow the requirements for coverage," he says.
"Do not lie to your carrier" about the measures being taken to protect data, he stresses. "It's important to maintain the security controls, including technical, physical and administrative controls, that are required and to supervise third parties to ensure they're also following the controls."
An insurer may not have a duty to cover the resulting breach expenses "if the barn door is open, and you lie about it - or the barn door was closed at the time the policy was signed but then you left the barn door open," Wu says.
"Insurance is elastic," he says. "Insurance policies can range from off-the-shelf, relatively inexpensive policies that don't cover much, to more expensive customized policies. The onus is on you to make sure the premium you're paying is providing you with a policy with the coverage you want and need."
Wu says he wouldn't be surprised if Cottage Health files legal action against its business associate, INSYNC, if Columbia Casualty is successful in its effort to seek reimbursement from the healthcare provider for the settlement-related expenses.