Insurer Says Provider Misrepresented Security Controls After Breach

The insurance company that paid $4.125 million for Cottage Health System to settle a class action lawsuit following a large data breach now wants its money back.


The insurance company that paid $4.125 million for Cottage Health System to settle a class action lawsuit following a large data breach now wants its money back.

Santa Barbara, Calif.-based Cottage Health in early December 2013 discovered that a third-party vendor “appeared to have removed electronic security protections from one of its servers without informing Cottage, resulting in the exposure of certain information stored on the server,” according to a statement at the time from Cottage Health.

That meant protected health information on about 32,500 patients was accessible on the Internet simply through a Google search, according to insurer Columbia Casualty Company, which has filed a lawsuit in U.S. District Court for the Central District of California and seeks repayment from Cottage Health.

Also See: 10 Strategies for Protecting Patient Data

Columbia Casualty in the suit says it wants the $4.125 million plus attorney fees and other related expenses back because Cottage Health did not follow minimum required practices for protecting information and did not truthfully attest to its security controls. Further, the insurer charges that misrepresentations and/or omissions of fact were made negligently or with intent to deceive.

A spokesperson for Cottage Health System did not respond to a request for comment on the lawsuit. A copy of the suit, “Columbia Casualty Company v. Cottage Health System,” is available here, courtesy of The Register, an independent IT news site.

More for you

Loading data for hdm_tax_topic #care-team-experience...