Insurer tells hospitals: You let hackers in, we're not bailing you out

IT departments better pick up their game – like not leaving anon FTP open to the world


When hackers swiped 32,500 patient records from Cottage Healthcare System, it was sued by its own customers for $4.1m – a bill that was settled by its insurers.

Now the insurance company, Columbia Casualty Company, has claimed Cottage's computers were hopelessly insecure, and it wants its money back. Columbia claims the healthcare provider's IT security was so poor that attackers were able to access its network and sensitive customer data via an anonymous FTP account found via a Google search.

The Columbia suit [PDF] (via Security Ledger) accuses Cottage of failing to meet 'minimum requests' regarding data security, putting it in violation of its insurance policy.

According to Columbia, Cottage suffered a breach beginning in October 2013 and notified its insurer in December. For the loss of 32,500 customer records, the healthcare provider was eventually forced to pay out a settlement of $4.125m, that Columbia backed as an insurer.

Columbia argues that it is not liable for the payout because Cottage did not provide adequate security for its documents, a clause the California hospital network agreed to when it signed the insurance policy.

Among the allegations, Columbia claims that Cottage failed to check for and apply security patches within 30 days of release, replace default access settings on security devices, undergo annual security audits, and outsourced data to firms with poor security. Cottage is also accused of failing to provide adequate detection and tracking of changes to its network and data.

"The data breach at issue in the Underlying Action and the DoJ Proceeding was caused as a result of File Transfer Protocol settings on Cottage’s internet servers that permitted anonymous user access, thereby allowing electronic personal health information to become available to the public via Google’s internet search engine," Columbia said.

Cottage is also under investigation by the Department of Justice for not securing patients' records properly under the Health Insurance Portability and Accountability Act. Columbia is arguing that it shouldn't be liable for any costs incurred in that investigation either.

The case is a sign that insurance companies are taking an increasingly tough line in computer crime cases, perhaps because they are getting sick of paying out large sums for avoidable incidents – particularly over something as obvious as insecure FTP access, allegedly.

The legal battle, case 2:15-cv-03432, is being heard by the Central California District Court. ®

Broader topics

Narrower topics


Other stories you might like

  • Lonestar plans to put datacenters in the Moon's lava tubes
    How? Founder tells The Register 'Robots… lots of robots'

    Imagine a future where racks of computer servers hum quietly in darkness below the surface of the Moon.

    Here is where some of the most important data is stored, to be left untouched for as long as can be. The idea sounds like something from science-fiction, but one startup that recently emerged from stealth is trying to turn it into a reality. Lonestar Data Holdings has a unique mission unlike any other cloud provider: to build datacenters on the Moon backing up the world's data.

    "It's inconceivable to me that we are keeping our most precious assets, our knowledge and our data, on Earth, where we're setting off bombs and burning things," Christopher Stott, founder and CEO of Lonestar, told The Register. "We need to put our assets in place off our planet, where we can keep it safe."

    Continue reading
  • Conti: Russian-backed rulers of Costa Rican hacktocracy?
    Also, Chinese IT admin jailed for deleting database, and the NSA promises no more backdoors

    In brief The notorious Russian-aligned Conti ransomware gang has upped the ante in its attack against Costa Rica, threatening to overthrow the government if it doesn't pay a $20 million ransom. 

    Costa Rican president Rodrigo Chaves said that the country is effectively at war with the gang, who in April infiltrated the government's computer systems, gaining a foothold in 27 agencies at various government levels. The US State Department has offered a $15 million reward leading to the capture of Conti's leaders, who it said have made more than $150 million from 1,000+ victims.

    Conti claimed this week that it has insiders in the Costa Rican government, the AP reported, warning that "We are determined to overthrow the government by means of a cyber attack, we have already shown you all the strength and power, you have introduced an emergency." 

    Continue reading
  • China-linked Twisted Panda caught spying on Russian defense R&D
    Because Beijing isn't above covert ops to accomplish its five-year goals

    Chinese cyberspies targeted two Russian defense institutes and possibly another research facility in Belarus, according to Check Point Research.

    The new campaign, dubbed Twisted Panda, is part of a larger, state-sponsored espionage operation that has been ongoing for several months, if not nearly a year, according to the security shop.

    In a technical analysis, the researchers detail the various malicious stages and payloads of the campaign that used sanctions-related phishing emails to attack Russian entities, which are part of the state-owned defense conglomerate Rostec Corporation.

    Continue reading

Biting the hand that feeds IT © 1998–2022