Web Analytics
  • Secure Channels

Insurer tells hospitals: You let hackers in, we’re not bailing you out

CEO Richard Blech comments on healthcare breaches. IT departments better pick up their game – like not leaving anon FTP open to the world.

It would seem the customers will need to take out their own insurance to protect them from the healthcare industry… -CEO Richard Blech

When hackers swiped 32,500 patient records from Cottage Healthcare System, it was sued by its own customers for $4.1m – a bill that was settled by its insurers.

Now the insurance company, Columbia Casualty Company, has claimed Cottage’s computers were hopelessly insecure, and it wants its money back. Columbia claims the healthcare provider’s IT security was so poor that attackers were able to access its network and sensitive customer data via an anonymous FTP account found via a Google search.

The Columbia suit [PDF] (via Security Ledger) accuses Cottage of failing to meet ‘minimum requests’ regarding data security, putting it in violation of its insurance policy.

According to Columbia, Cottage suffered a breach beginning in October 2013 and notified its insurer in December. For the loss of 32,500 customer records, the healthcare provider was eventually forced to pay out a settlement of $4.125m, that Columbia backed as an insurer.

Columbia argues that it is not liable for the payout because Cottage did not provide adequate security for its documents, a clause the California hospital network agreed to when it signed the insurance policy.

Among the allegations, Columbia claims that Cottage failed to check for and apply security patches within 30 days of release, replace default access settings on security devices, undergo annual security audits, and outsourced data to firms with poor security. Cottage is also accused of failing to provide adequate detection and tracking of changes to its network and data.

“The data breach at issue in the Underlying Action and the DoJ Proceeding was caused as a result of File Transfer Protocol settings on Cottage’s internet servers that permitted anonymous user access, thereby allowing electronic personal health information to become available to the public via Google’s internet search engine,” Columbia said.

Cottage is also under investigation by the Department of Justice for not securing patients’ records properly under the Health Insurance Portability and Accountability Act. Columbia is arguing that it shouldn’t be liable for any costs incurred in that investigation either.

The case is a sign that insurance companies are taking an increasingly tough line in computer crime cases, perhaps because they are getting sick of paying out large sums for avoidable incidents – particularly over something as obvious as insecure FTP access, allegedly.

The legal battle, case 2:15-cv-03432, is being heard by the Central California District Court

Find the original article here.

For more articles and quotes from CEO Richard Blech, visit the Secure Channels website.

#Irvine #CyberSecurity #healthcarebreaches #RichardBlech #Breach #CyberDefense #healthcare #patentedencryption #SecureChannels #databreach

Secure Channels BRINGS to market data encryption, cryptographic protocols, and access control/ privileged access/ user authentication technologies in the form of licensable tools, end user platforms and purpose-built solutions, SERVING software & application developers, hardware OEM and device manufacturers, and enterprise organizations, WHO place a premium on cybersecurity, risk reduction, and operational performance benefits or competitive differentiation provided, ALLOWING them to replace, augment, or introduce to new cryptography into their products or environments, PROVIDING material and measurable cybersecurity protections, risk reduction and data breach mitigation.

Secure Channels Inc. 

2102 Business Center Drive, Suite 130  |  Irvine, CA 92612  |  T: (949) 208-7525  |  E: contact@securechannels.com

Follow us!

  • Facebook
  • LinkedIn
  • Twitter

Copyright © 2020 Secure Channels Inc. All rights reserved