Lisa Vaas of Naked Security on a cyber insurance provider saying they “don’t cover stupid” and is fighting a payout against obviously ignorant actions by the insured:
Good thing the healthcare provider had insurance to cover such a data breach, eh?
Well, it would have been a bit of a relief, if the insurer hadn’t scratched its head and shrugged its shoulders, pointing to a clause in the policy that means it doesn’t have to pay out when the insured party has been bone-headed about its security.
Cottage’s insurer, Columbia Casualty, earlier in May filed a complaint against Cottage Health System, claiming that whatever money it had to pay out under the policy would have to be paid right back to it, for the same reasons that the class action lawsuit had been filed: because the healthcare provider allegedly failed to follow “minimum required practices” as spelled out in the insurance policy.
Specifically, the insurer is claiming that Cottage “stored medical records on a system that was fully accessible to the internet but failed to install encryption or take other security measures to protect patient information from becoming available to anyone who ‘surfed’ the internet.”
The patient data had been exposed for about about two months, starting in October 2013.
It’s not like the company was jumped on by cyber attackers, per se. Rather, the data was accessible via the public internet and to Google search.
That makes it tough to know who might have accessed the data.
This is where cyber security insurance is going to be interesting to watch; expect more and more cases like this in the future to help shape the scope of cyber insurance payout requirements.