Sloppy security practices have exposed millions of healthcare consumers to cybercrime. Attacks on healthcare data systems demonstrate, and Habeas Hard Drive can attest from experience, that the medical field as a whole simply isn’t very serious about information security.
Now comes this legal mess, as an insurance company denies cybercrime coverage because the insured did not meet basic information security requirements outlined in the policy.
Columbia Casualty Company agreed to the terms of a $4.1 million class action settlement on behalf of Cottage Health customers whose medical records were exposed. But Columbia now claims that it’s not obligated to pay. It seems the 2013 data breach occurred because Cottage failed in some very elementary security practices.
Habeas Hard Drive sees this as a rising trend. Just as insurers are figuring out how to cover cybercrime, they are also becoming more sophisticated about risk assessment. Not unlike fire insurance policies that come with a discount for fire-resistant roofing, business insurers will demand security standards mitigate the risk of information theft.
Business, meanwhile, is starting to understand that nobody except top management can truly grasp what’s at stake when data is stolen. More corporate boards are pointing the finger at the straight at a CEO when a high-profile data breach occurs. Does this mean CEOs will be more accountable for information security? Habeas Hard Drive has observed that they are more likely to fire middle managers and sue vendors than take responsibility. But time will tell.