Health Records Breached: No CyberInsurance Payout Why? Stupidity

following story says that 32,000 patient records were placed on an insecure server on the Internet  within the Cottage Health System.

http://www.noozhawk.com/article/class-action_lawsuit_aimed_cottage_hospital_records_breach

Unfortunately a simple Google search would reveal these patient records which is against the HIPAA privacy guidelines.

Apparently the Hospital did have cyberinsurance from Columbia Casualty  insurance

according to https://nakedsecurity.sophos.com/2015/05/28/we-dont-cover-stupid-says-cyber-insurer-thats-fighting-a-payout/

cottagehealthsystems  Santa Barbara hospital within Cottage

 

 

As has been noted by Dark Reading (InformationWeek) there are several reasons that insurance does not ahve to payout (clauses)

* Not paying retroactively

* Terrorism – act of war

* Lack of coverage or negligence

some policies do not cover theft or outright negligence.

 

It obviously pays to read the fine print to see what exactly your cyberinsurance covers.

What is considered negligence? Is it placing a server with access to the internet? Is it badly designed passwords? Where does the standard for negligence lie?

 

Obviously the decision to place a number of patient records on the Internet has to make sense to somebody.

 

What about an IT person that was given a task to place a new software database which would allow doctors and patients easy access to their information?

The method and task of creating the new system is important. And in this day of cyber attacks how that is done is very important.

In this link http://www.propertycasualty360.com/2012/10/05/negligence-and-hacking-attacks-top-cyber-liability  you can see that cyberinsurance does cover negligence(as mentioned above almost all breaches are due to some negligence), but encryption of mobile devices or otherwise is required.

cyberinsurancenegligence

The key is the last paragraph:

{The good insureds are focusing on this and making sure they reduce their risk where they can and then get into the insurance with the understanding that things can still happen no matter how prepared they are.}

In hindsight Cottage health Systems did not do proper diligence and thus is not due any insurance payout.

 

Do you want to do proper security diligence? Then contact Us we can help.

 

 

Advertisements

One thought on “Health Records Breached: No CyberInsurance Payout Why? Stupidity”

Leave a Reply

Your email address will not be published. Required fields are marked *