Insurer tells hospitals: You let hackers in, we are not bailing you out

The wrote a fantastic article about a topic we all need to be concerned with (original post found HERE). In summary, a healthcare provider was breached due to their weak cyber security investments and tried to use insurance money to make up for the financial loses. The insurance company is fighting back by suing the healthcare provider since the healthcare provider did not provide adequate security protection.

Hopefully this helps companies justify investing in security since passing along the risk using insurance may not be a viable option anymore. This is huge since many companies such as healthcare are playing roulette with OUR DATA without our knowledge. Maybe this will eventually even make its way to the government one day … like for example the IRS recently leaking a bunch of records (that story found HERE). Here is the original story from

IT departments better pick up their game – like not leaving anon FTP open to the world

When hackers swiped 32,500 patient records from Cottage Healthcare System, it was sued by its own customers for $4.1m – a bill that was settled by its insurers.

Now the insurance company, Columbia Casualty Company, has claimed Cottage’s computers were hopelessly insecure, and it wants its money back. Columbia claims the healthcare provider’s IT security was so poor that attackers were able to access its network and sensitive customer data via an anonymous FTP account found via a Google search.

The Columbia suit [PDF] (via Security Ledger) accuses Cottage of failing to meet ‘minimum requests’ regarding data security, putting it in violation of its insurance policy.

According to Columbia, Cottage suffered a breach beginning in October 2013 and notified its insurer in December. For the loss of 32,500 customer records, the healthcare provider was eventually forced to pay out a settlement of $4.125m, that Columbia backed as an insurer.

Columbia argues that it is not liable for the payout because Cottage did not provide adequate security for its documents, a clause the California hospital network agreed to when it signed the insurance policy.

Among the allegations, Columbia claims that Cottage failed to check for and apply security patches within 30 days of release, replace default access settings on security devices, undergo annual security audits, and outsourced data to firms with poor security. Cottage is also accused of failing to provide adequate detection and tracking of changes to its network and data.

“The data breach at issue in the Underlying Action and the DoJ Proceeding was caused as a result of File Transfer Protocol settings on Cottage’s internet servers that permitted anonymous user access, thereby allowing electronic personal health information to become available to the public via Google’s internet search engine,” Columbia said.

Cottage is also under investigation by the Department of Justice for not securing patients’ records properly under the Health Insurance Portability and Accountability Act. Columbia is arguing that it shouldn’t be liable for any costs incurred in that investigation either.

The case is a sign that insurance companies are taking an increasingly tough line in computer crime cases, perhaps because they are getting sick of paying out large sums for avoidable incidents – particularly over something as obvious as insecure FTP access, allegedly.

The legal battle, case 2:15-cv-03432, is being heard by the Central California District Court.

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.