Insurers blames lack of security at hospital business
A CNA-owned insurance firm called Columbia Casualty is seeking a court ruling that will relieve it of a $4.1m cyber policy payout to a hospital which suffered a data breach.
Columbia argues the policy has an exclusion clause that requires the hospital to meet ‘minimum required practices’ in its security – something it failed to do.
The case is being watched closely by UK and global insurers because it is one of a few well-publicised cases of an insurer refusing a cyber policy.
Cottage Health System, which runs a network of hospitals across South California, suffered a data breach involving about 32,500 confidential medical records between Oct 8, 2013, and Dec. 2, 2013, according to the complaint Columbia filed with a Los Angeles court.
The insurer complains Cottage stored medical records on the internet without an encryption or other security measures.
The Columbia policy provided coverage for privacy injury claims and privacy regulation proceedings, with limits of $10 million per claim and in the aggregate, subject to a $100,000 deductible, according to the complaint, Business Insurance reports.