Episode 22: So you think you're covered by cybersecurity insurance. Well...

Cybersecurity coverage being challenged in court has some important points that all businesses should consider.

FindHealthcareIT

HIPAAforMSPS.com

Kardon Compliance

Help Me With HIPAA 

COLUMBIA CASUALTY COMPANY v. COTTAGE HEALTH SYSTEM

Breach announcement said: Between October 8, 2013 and December 2, 2013, PHI of approximately 32,500 patients on the CEs servers weredisclosed to the public via the internet.
Hospital got voicemail message from a third party, who informed it that he was able to read the PHI online.
Patients seen Sept. 29, 2009, to Dec. 2, 2013 included names, addresses, DOB, MR#, Acct#, diag, lab results and procedures performed. No financial information or Social Security numbers were involved
Insync, their IT vendor at the time, left anonymous access for FTP traffic active on an internet servers on or about Oct. 8, 2012. The change allowed ePHI to become available to the public via Google's internet search engine. The server was taken offline immediately on Dec 2 once the call came in.

Insync doesn't mention healthcare on their website any more
People make mistakes even the IT folks - theirs are just big ones

Law Suits and Investigations

Civil Suit filed January 27, 2014 and settled December 2014

$4,125 million along with related expenses and attorneys'
fees
50,917 patients included in the settlement

On-going investigation for HIPAA violations currently

Involves CA Dept of Justice and likely OCR
The DOJ Proceeding will determine whether Cottage complied with its
obligations under HIPAA and any other pertinent state and federal laws and may potentially result in the imposition of fines, sanctions or penalties.

Insurer Columbia Casualty filed suit

Saying they shouldn't have to pay the claim for the $4.1 nor any expense they have or will incur over this case

Columbia also seeks a declaration of its entitlement to reimbursement in full from Cottage for any and all attorney's fees or related costs or expenses Columbia has paid or will pay in connection with the defense and settlement of the class action lawsuit and any related proceedings and an award of damages consistent with such declaration.

INSYNC, the IT company, does not maintain sufficient liquid assets to contribute towards the proposed settlement fund and does not maintain liability insurance that applies with respect to the privacy claims asserted in the Underlying Action.

Why does Columbia think they shouldn't pay?

The Columbia Policy contains the following exclusion: Whether in connection with any First Party Coverage or any Liability Coverage, the Insurer shall not be liable to pay any Loss: Failure to Follow Minimum Required Practices based upon, directly or indirectly arising out of, or in any way involving... Any failure of an Insured to continuously implement the procedures and risk controls identified in the Insured's application for this Insurance and all related information submitted to the Insurer in conjunction with such application whether orally or in writing; This Policy shall be null and void if the Application contains any misrepresentation or omission: a. made with the intent to deceive, or b. which materially affects either the acceptance of the risk or the hazard assumed by the Insurer under the
Policy.
The Columbia Policy application contained the following questions that were answered by the hospital

Do you check for security patches to your systems at least weekly
and implement them within 30 days? • Yes
Do you replace factory default settings to ensure your information
security systems are securely configured? • Yes
Do you re-assess your exposure to information security and
privacy threats at least yearly, and enhance your risk controls in
response to changes? • Yes
Do you outsource your information security management to a
qualified firm specializing in security or have staff responsible for
and trained in information security? • Yes
Whenever you entrust sensitive information to 3rd parties do
you...

contractually require all such 3rd parties to protect this
information with safeguards at least as good as your own • Yes
perform due diligence on each such 3rd party to ensure that
their safeguards for protecting sensitive information meet your standards (e.g. conduct security/privacy audits or review findings of independent security/privacy auditors) • Yes
Audit all such 3rd parities at least once per year to ensure that
they continuously satisfy your standards for safeguarding
sensitive information? • Yes
Require them to either have sufficient liquid assets or
maintain enough insurance to cover their liability arising from
a breach of privacy or confidentiality. • Yes (Which INSYNC did not)
Do you have a way to detect unauthorized access or attempts to
access sensitive information? • Yes
Do you control and track all changes to your network to ensure it
remains secure? • Yes

Failure to Follow Minimum Required Practices is clear according to the ins company which is why they shouldn't have to pay

failure to replace factory default settings its failure to ensure that its information security systems were securely configured
failure to regularly check and maintain security patches on its systems
failure to regularly re-assess its information security exposure and enhance risk controls
failure to have a system in place to detect unauthorized access or attempts to access sensitive information stored on its servers
failure to control and track all changes to its network to ensure it remains secure

Final Notes

If you don't have coverage you really should be looking at it because this isn't going to get easier as these things continue to occur.
If you do have coverage you should revisit that application and check that you are following the standards you said you were doing in the policy. This probably won't be the first time this kind of thing comes up.
If you are a BA, you should check yourself and your coverage because your clients may start asking you what you have covered in order to do business with them.