Insurer refuses to pay out after data breach – citing inadequate cybersecurity
Posted: May 20th 2015
An alarming precedent has been set for companies that rely on cyber insurance to cover the financial losses associated with information security incidents.
Background
Health care organizations are bound by the Administrative Simplification rules of the Health Insurance Portability and Accountability Act (HIPAA), which regulates the use and disclosure of Protected Health Information (PHI).
HIPAA covered entities that suffer a data breach are required to notify affected patients if their PHI has been inappropriately disclosed.
There have been a lot of health care data breaches recently and by estimation HIPAA breach notifications so far this year have covered nearly 125 million patient records.
As the recent IBM/Ponemon 2015 Cost of Data Breach Study: United States found, the cost of notification has increased to an average of $0.56 million per incident – this on top of all the other costs associated with data breaches, which have pushed the average cost of a data breach to $6.5 million. Many health care organizations seeking to indemnify themselves against financial losses have therefore taken out cyber insurance policies to cover their losses.
Cottage Healthcare System
When California-based Cottage Healthcare System suffered a data breach in 2013, in which 32,500 customer records were leaked, its customers sued it for $4.125 million – a bill that was covered by its insurers, Columbia Casualty Company.
Now, Columbia Casualty Company has filed a complaint seeking reimbursement from Cottage, claiming that the breach occurred ‘because Cottage and/or its third-party vendor, INSYNC Computer Solution, Inc. (“INSYNC”), stored medical records on a system that was fully accessible to the internet but failed to install encryption or take other security measures to protect patient information from becoming available to anyone who “surfed” the internet.’
It will be interesting to see how this case (2:15-cv-03432 in the Central California District Court) pans out. One thing we can predict: as data breach incidents continue to increase in number and severity, insurance companies won’t be as able or willing to continue to provide the cover that most organizations demand.
When California-based Cottage Healthcare System suffered a data breach in 2013, in which 32,500 customer records were leaked, its customers sued it for $4.125 million – a bill that was covered by its insurers, Columbia Casualty Company.
What, then, can organizations do to protect themselves from the costly repercussions of data breaches?
ISO 27001 and HIPAA
Rather than relying on insurance to cover financial losses after a breach, health care organizations would do better to ensure they don’t have to claim in the first place – by following international best practice and implementing an information security management system (ISMS), as specified by the ISO 27001 standard.
By virtue of its all-inclusive approach, ISO 27001 encapsulates the information security elements of HIPAA by providing an auditable ISMS designed for continual improvement.
It is often the case that companies will also achieve compliance with a host of other related legislative frameworks simply by achieving ISO 27001 registration. In addition to this, the external validation offered by ISO 27001 registration is likely to improve an organization’s cybersecurity posture while providing a higher level of confidence to customers and stakeholders – essential for securing certain global and government contracts.
Civil monetary penalties (CMPs) for HIPAA violations can be as much as $50,000 per compromised record, up to an annual maximum of $1.5 million, and criminal penalties can incur fines of up to $250,000 and ten years’ imprisonment.