Back in 2013, Cottage Health System found out that the third party vendor handling the PHI at one of its hospitals was not actually secure, exposing the private information (names, addresses, DOBs, as well as details about their diagnoses and treatments) of thousands of patients.
Cottage contacted the 32,755 patients whose records were exposed and let them know that their information had been compromised. What happened was that one of Cottage’s vendors, inSync, was storing PHI unencrypted on a system that was easy to access over the internet (that’s what you get when you trust a vendor named after a 90’s boy band).
The affected patients were understandably upset. A class action lawsuit came about, and they were able to get a $4.13 million settlement out of Cottage.
Good thing Cottage had insurance, right?
Not so fast…
In the proud tradition of insurance providers taking their client’s money month after month, year after year, and then resisting paying any settlement they might be able to weasel their way out of, the provider of the insurance Cottage had invested in is now claiming that they shouldn’t be on the hook for that settlement.
That insurance provider, the Chicago-based Columbia Casualty Company, already reimbursed Cottage for that $4.13 million, plus additional legal fees.
Now, they want that money back.
To be fair, Cottage did sign a contract with the following clause: “precludes coverage for any loss based upon, directly or indirectly, arising out of, or in any way involving any failure of an Insured to continuously implement the procedures and risk controls identified in the Insured’s application.”
To further make Columbia’s case, apparently Cottage confirmed with Columbia before agreeing to terms of their insurance contract that they had performed their due diligence and made sure that all their third party vendors were adequately secure.
Let this be a lesson to you, hospitals: even insurance might not save you from the wrath of patients scorned. Vet your vendors thoroughly.
Also, don’t neglect investing in your IT infrastructure (and maintaining that infrastructure), because an effective network security solution is all that’s standing in the way between your PHI and cybercriminals/the multimillion dollar fines and lawsuits that could result from a breach.
Contact us at (443) 216-9999 or firstname.lastname@example.org for more information about our network security services.