An insurance company who was previously ordered to pay a settlement for a data breach is seeking a judicial ruling that it does not have to pay, saying the breached health system did not meet the "minimum required practices" in terms of data protection as outlined in its insurance application, according to a Business Insurance Report.
In late 2013, Santa Barbara, Calif.-based Cottage Health System suffered a data breach affecting approximately 32,500 patient medical records. According to the complaint filed in the U.S. District Court in Los Angeles, the data breach allegedly occurred because the system storing the medical records was entirely available to the Internet and did not utilize encryption or other security measures.
In January 2014, the health system faced a class-action lawsuit, which resulted in a $4.1 million settlement agreement. Columbia Casualty, an insurance unit of Chicago-based CNA Financial Corp., which had issued a claims-made policy to Cottage Health System, agreed to pay the settlement.
However, Columbia Casualty then filed the complaint seeking the judicial ruling to remove the settlement obligations saying the health system did not follow adequate procedures and risk controls that were outlined in its insurance application, according to the report.
The complaint alleges the breach resulted from Cottage Health System's "failure to regularly check and maintain security patches on its system, its failure to regularly reassess its information security exposure and enhance risk controls, its failure to have a system in place to detect unauthorized access or attempts to access sensitive information stored on its servers and its failure to control and track all changes to its network to ensure it remains secure, among other things," according to the report.
Cottage Health System said in a statement the system is reviewing the lawsuit with counsel, but based on a preliminary review, "we do not believe the suit has merit."
More articles on data breaches:
Consumer perceptions of Anthem slightly shift downward following data breach
9 latest data breaches
Criminal attacks No. 1 cause of healthcare data breaches: 5 things to know