- HIPAA Update - http://blogs.hcpro.com/hipaa -

Liability insurer contests claims for data breach, says hospital failed to follow basic security protocols

A California hospital network that agreed to a $4.13 million settlement to a class-action lawsuit for exposing the PHI of more than 32,000 patients is now getting push back from its liability insurance provider about paying the claims.

In December 2013, it was discovered the health system and a third-party vendor, InSync, stored patients’ unencrypted electronic medical records on a database accessible to the Internet. So, potentially, patients’ PHI could have showed up in an online search engine for the world to see. There was no evidence that actually happened at the time, but Cottage Health had to notify 32,755 patients there PHI may have been publicly exposed.

The health system then agreed to settle a class-action lawsuit brought by the patients. Chicago-based Columbia Casualty Company, Cottage Health’s liability insurer, paid the bill but then filed a complaint in federal court in May 2015, seeking repayment of the insurance claims [1].

The insurer says Cottage Health gave false responses to a risk control assessment when it applied for the liability policy and failed to implement basic security measures, such as having a system in place to detect unauthorized access to PHI or regularly re-assess its information security exposure.

The case is now winding its way through U.S. District Court for Central California.