Share this article on:
Columbia Casualty Co – a unit of Chicago-based CAN Financial Corp. – is seeking a ruling from a judge in an attempt to avoid paying a $4.1 million settlement for the HIPAA breach suffered by the Cottage Health System; a not-for-profit network of hospitals in Southern California.
The data breach in question took place between October 8, 2013, and December 2, 2013, not at the Cottage Health System, but a Business Associate (BA). The breach occurred when data was placed on an unencrypted network server, allowing the information to be indexed in Google and be made freely available on the internet. The data breach resulted in approximately 32,500 medical records being exposed along with Personally Identifiable Information (PII) and Social Security numbers.
A class action lawsuit was filed against Cottage Health System for the disclosure of information with a $4.1 million settlement being sought. That settlement received preliminary court approval in December 2014, and Columbia Casualty is trying to avoid paying.
Breach of Policy Could Mean No Payout
Since the Cottage Health System – via one of its BAs – failed to implement the most basic of security measures to protect the data it held – the cost of the disclosure of which was covered by the policy – the complainant believes it should not be made to pay. The case claims that the failure to implement an appropriate cyber security policy, meant the healthcare provider did not met the insurer’s “minimum required practices.”
During the entire duration of the breach, Cottage Health was covered by a NetProtect360 claims-made policy provided by the complainant. An agreement was reached between Cottage Health and Columbia Casualty for the claim to be covered after the preliminary court approval, albeit with a complete reservation of rights. The policy has a limit of $10 million per claim minus $100,000 a deductible.
The insurer has now exercised its right to withdraw its agreement to pay pending the outcome of this complaint made on the grounds of the healthcare provider’s “failure to regularly check and maintain security patches on its system, its failure to regularly reassess its information security exposure and enhance risk controls, its failure to have a system in place to detect unauthorized access or attempts to access sensitive formation stored on its servers and its failure to control and track all changes to its network to ensure it remains secure among other things.”
What does HIPAA Say?
Under the Health Insurance Portability and Accountability Act, all covered entities must exercise control over who is provided with Protected Health Information (PHI). In the wrong hands the data can be used to commit multiple types of fraud and thieves can run up huge debts and obtain millions of dollars’ worth of medical treatment.
Due to the risk of disclosure – accidental and deliberate – HIPAA demands all BAs adhere to HIPAA Privacy, Security and Breach Notification Rules, as is the case with their Covered Entity (CE). They can be held directly accountable for failing to do so. However, the CE may also be penalized for a breach involving a Business Associate, as a CE is ultimately responsible for the actions of those contractors and subcontractors beneath it.
HIPAA violations are a matter for the Department of Health and Human Services’ Office for Civil Rights to deal with, and in this case, its auditors are likely to take a keen interest. For now a judge will decide whether Columbia Casualty must pay out is liable to pay the civil claim and the healthcare provider and BA will have to wait to see what the Office for Civil Rights decides is an appropriate penalty.
HIPAA Covered Entities Beware
Should the case prove successful for the complainant, the healthcare provider will be required to cover the settlement, legal costs and the considerable cost of dealing with a HIPAA breach; sending breach notification letters, providing credit monitoring services etc.
This data breach affected a considerable number of patients, although by 2015 standards the breach was relatively small. For a larger data breach, involving 1 million records or more, the financial implications for the provider or health plan could be devastating.
Insurance contracts provided to HIPAA-covered entities are often not too dissimilar to that “protecting” the Cottage Health System. If a HIPAA violation or lapse in security standards is to be used as a get-out clause by healthcare insurers not wanting to pay a $10 or $100 million claim – data breaches resulting from HIPAA non-compliance could turn out to be very costly indeed.