We don't cover stupid, says cyber insurer that's fighting a payout
In 2013, Cottage Health Systems, a California healthcare provider discovered that the security on one of their servers was disabled. The server contained tens of thousands of patient records. Those files included patients’ names, addresses, dates of birth, and in a few cases, their diagnosis, lab results and procedures performed. Cottage Health Systems and inSync were sued for failing to secure the data, which in itself is a huge expense. Forensic investigators were called in to determine what had happened and remove any malware, which began running up a large bill. The affected patients had to be notified and offered free credit monitoring services.
The healthcare provider felt they were in good shape, since they purchased insurance to cover a data breach. However, the insurer pointed out a clause in the policy that states they do not have to pay out when the insured party has been bone-headed about its security. The healthcare provider had failed to follow the minimum required practices. The healthcare provider was not even hacked they simply exposed he data on the Internet.
Some of the alleged security failings include:
- Cottage and its third-party vendor, inSync, allegedly failed “to continuously implement the procedures and risk controls identified in its application” for the coverage, including…
- Configuration and change management for Cottage’s IT systems as well as regular patch management.
- Alleged failure to regularly “re-assess its information security exposure and enhance risk controls” and to “deploy a system to detect unauthorized access or attempts to access sensitive information stored on its servers.”
The cost this breach quickly exceeded 4 million dollars. In addition, to the lawsuit, investigation, and credit monitoring, businesses need to understand how a breach can also affect their reputation, current customer based, and future growth.
When evaluating risk it can be accepted, mitigated, avoided, or transferred. Cyber insurance is one way many think they can transfer risk to a third party the insurance company. However, insurance companies have already recognized this and ensured they have clauses in place to protect them from organizations that are trying to avoid following required guidelines and basic security requirements.
The majority of data breaches occur when hackers attack vulnerable systems. Identifying these vulnerabilities and ensuring they are address becomes paramount to protecting the organization. It is also critical to continually audit controls and systems. Simply taking a snapshot of the network once is not enough to ensure it remains secure. New attacks and vulnerabilities are discovered all the time.