A relatively small data-theft hacking from two years ago might prove to have huge future implications regarding the thorny legal question of just who should be responsible for the costs when customer data is stolen from companies.
In December 2013, news broke that Cottage Health System, which operates a handful of hospitals in southern California (including Santa Barbara Cottage Hospital, Goleta Valley Cottage Hospital and Santa Ynez Valley Cottage Hospital), suffered an obvious data-security breach. Confidential data from almost 33,000 Cottage Health patients going back to September 2009 was exposed on the Internet.
This data included patients' names, addresses and dates of birth, and sometimes their diagnoses, lab results and any procedures performed.
In February 2014, former patients filed a class-action lawsuit against Cottage Health and inSync (the company responsible for putting Cottage records in a secure online location), complaining that from Oct. 8 through Dec. 2 of the previous year, the records of people who attended any Cottage hospital from Sept. 29, 2009 through Dec. 2, 2013 were available online, and that inSync “failed to provide any encryption or other security to prevent anyone from reading the medical records.”
However the courts ruled, the data breach was bound to prove expensive for Cottage Health. Luckily, the company has insurance to cover the costs of such a data breach.
So Cottage filed a claim with its insurer, Columbia Casualty – and this month Columbia filed a counter-claim (available in .pdf form here) seeking repayment of the money it shelled out for Cottage's claim, on the grounds that the healthcare provider failed to follow “minimum required practices” as specified in the insurance policy.
17. The complaint alleges that the breach occurred because Cottage and/or its third-party vendor, INSYNC Computer Solution, Inc. (“INSYNC”), stored medical records on a system that was fully accessible to the internet but failed to install encryption or take other security measures to protect patient information from becoming available to anyone who “surfed” the internet.
18. The complaint alleges that Cottage violated its nondelegable duties under CMIA and HIPAA to maintain the security of its patients’ confidential medical records and to detect and prevent data breaches on its system that would allow such information to become available to the public through the internet.
Or, as the Naked Security blog summarized Columbia's argument: “We don't cover stupid.”
Most insurance policies contain similar anti-stupidity clauses. For example, suppose your auto insurance includes coverage in case your car is stolen. You're still expected to take reasonable care to protect the car from thieves – which means, if your car gets stolen because you parked it with the doors unlocked, windows rolled down and keys in the ignition, your insurance company can probably refuse to pay on the grounds that they don't cover stupid.
And putting unencrypted, confidential patient data online where it can be seen in Google searches and other standard Internet activities is even stupider than that.
Remember earlier, when we referred to the Cottage Health data breach as a “hacking”? That's actually not the right word to describe what happened; during the two months that unencrypted data was available online, you wouldn't need to be a “hacker” to see it, anymore than you need be a “hacker” to read this news story, which is posted on a public website available to all major search engines.
And the non-hacking nature of the Cottage data breach, in turn, makes it extremely difficult to know just who might've seen that data while it was available. In fact, almost anyone might've seen that data, maybe without even realizing what they were looking at — perhaps it was one of the search results you saw when you searched the name of your old friend from high school, a former classmate who now lives in southern California and sought medical treatment a Cottage hospital earlier this decade.