When hackers swiped 32,500 patient records from Cottage Healthcare System, it was sued by its own customers for $4.1m – a bill that was settled by its insurers.
Now the insurance company, Columbia Casualty Company, has claimed Cottage's computers were hopelessly insecure, and it wants its money back. Columbia claims the healthcare provider's IT security was so poor that attackers were able to access its network and sensitive customer data via an anonymous FTP account found via a Google search.
According to Columbia, Cottage suffered a breach beginning in October 2013 and notified its insurer in December. For the loss of 32,500 customer records, the healthcare provider was eventually forced to pay out a settlement of $4.125m, that Columbia backed as an insurer.
Columbia argues that it is not liable for the payout because Cottage did not provide adequate security for its documents, a clause the California hospital network agreed to when it signed the insurance policy.
Among the allegations, Columbia claims that Cottage failed to check for and apply security patches within 30 days of release, replace default access settings on security devices, undergo annual security audits, and outsourced data to firms with poor security. Cottage is also accused of failing to provide adequate detection and tracking of changes to its network and data.
"The data breach at issue in the Underlying Action and the DoJ Proceeding was caused as a result of File Transfer Protocol settings on Cottage’s internet servers that permitted anonymous user access, thereby allowing electronic personal health information to become available to the public via Google’s internet search engine," Columbia said.
Cottage is also under investigation by the Department of Justice for not securing patients' records properly under the Health Insurance Portability and Accountability Act. Columbia is arguing that it shouldn't be liable for any costs incurred in that investigation either.
The case is a sign that insurance companies are taking an increasingly tough line in computer crime cases, perhaps because they are getting sick of paying out large sums for avoidable incidents – particularly over something as obvious as insecure FTP access, allegedly.
The legal battle, case 2:15-cv-03432, is being heard by the Central California District Court. ®