Good thing the healthcare provider had insurance to cover such a data breach, eh?
Well, it would have been a bit of a relief, if the insurer hadn’t scratched its head and shrugged its shoulders, pointing to a clause in the policy that means it doesn’t have to pay out when the insured party has been bone-headed about its security.
Cottage’s insurer, Columbia Casualty, earlier in May filed a complaint against Cottage Health System, claiming that whatever money it had to pay out under the policy would have to be paid right back to it, for the same reasons that the class action lawsuit had been filed: because the healthcare provider allegedly failed to follow “minimum required practices” as spelled out in the insurance policy.
Specifically, the insurer is claiming that Cottage “stored medical records on a system that was fully accessible to the internet but failed to install encryption or take other security measures to protect patient information from becoming available to anyone who ‘surfed’ the internet.”
The patient data had been exposed for about about two months, starting in October 2013.
It’s not like the company was jumped on by cyber attackers, per se. Rather, the data was accessible via the public internet and to Google search.
That makes it tough to know who might have accessed the data.
This is where cyber security insurance is going to be interesting to watch; expect more and more cases like this in the future to help shape the scope of cyber insurance payout requirements.
While in this case the court found that there was no coverage, it serves as an important reminder to policyholders that cyber policies, which have become increasingly popular in the wake of high-profile data breaches, may also be a source of coverage for other types of liabilities. In the case discussed above, the only “cyber” element seems to have been that the dispute between Global and FRA concerned electronic data; it was not alleged that the insured, or anyone else, wrongfully accessed or publicized that data. Indeed, the errors and omissions module in the policy at issue does not appear to have required a cyber “hook” for coverage. Yet, even though the court denied coverage, it did not base its denial on the absence of a data breach.
A further point for policyholders to keep in mind is that, to date, there is little if any judicial guidance on the interpretation of insurance policies of any type in the context of data breaches and other cyber attacks. For example, with respect to coverage triggered by negligent acts and omissions, no court has addressed the level of negligence that must be alleged with respect to an insured whose computer network was infiltrated by cyber criminals resulting in the leak of private information. Given the recent proliferation of exclusions in general liability and first-party property policies that purport to bar coverage for cyber liabilities, and the increasing sophistication of cyber criminals, it may be only a matter of time before courts have many more occasions to interpret cyber policies. However, the availability coverage for cyber events under “traditional” policies is still a relatively untested question.
CareFirst BlueCross BlueShield was the victim of a cyberattack that compromised information on about 1.1 million current and former customers, the health insurer that covers residents of D.C., Maryland and Virginia announced Monday.
Several major health insurers have disclosed significant breaches this year, including Anthem, the nation’s second largest health insurers, which revealed that data on nearly 80 million customers was compromised.
The CareFirst attack occurred in June 2014, according to a Web site set up by the insurer. The company said its cyber-security team thought it had fended off the attack at the time, but a recent review discovered that the attackers had gained access to the usernames that customers created on its Web site as well as their real names, birth dates, e-mail addresses and subscriber identification numbers.
The company said it first learned that data on customers was accessed nearly a month ago, on April 21, during the course of a review of its systems by cybersecurity firm Mandiant. CareFirst said it did not disclose the discovery until now so it could complete its investigation of the incident.
The medical industry is increasingly becoming a major target for cyber attacks.