Sloppy security practices have exposed millions of health care consumers to cybercrime. The attacks on health care data systems demonstrate, and Habeas Hard Drive can attest from experience that the medical field, generally speaking, simply isn’t very serious about information security.
Now comes this legal mess, as an insurance company denies cybercrime coverage because the insured did not meet basic information security requirements outlined in the policy.
Columbia Casualty Company agreed to the terms of a $4.1 million class action settlement on behalf of Cottage Health customers whose medical records were exposed. But Columbia now claims that it’s not obligated to pay. It seems the 2013 data breach occurred because Cottage failed in some very elementary security practices.
Habeas Hard Drive sees this as a possible trend, just as insurers are figuring out how to cover cybercrime, they are also becoming more sophisticated about risk assessment. Not unlike insurance companies that offer a discount for fire-resistant roofing, business insurers will be looking for security standards that mitigate the risk of information theft.
Business is also starting to understand that nobody except top management can truly grasp what’s at stake when data is stolen. More corporate boards pointing the finger at the straight at a CEO when a high-profile data breach occurs. Does this mean CEOs will be more accountable for information security? Habeas Hard Drive has observed that they are more likely to fire middle managers and sue vendors than take responsibility. But time will tell.