man with credit card

In 2013, Cottage Health in Southern California notified 32,755 patients that their IT Provider had made changes to their network, decreasing security and exposing patient records to the internet, where they were searchable on Google.

Fast forward four years and now Cottage Health is being sued by their insurance carrier for not adhering to the terms of their contract. This is not surprising at all, since the insurance carrier has paid out over $4.13 million in claims.  When the insurance carrier looked back at initial paperwork from Cottage Health, they found that they “provided false responses” to the self assessment application.

Among the claims from the insurance carrier, Columbia Casualty Company, they allege that they failed to perform due diligence on third-party vendors.  Basically, they are being sued because Cottage failed to vet their IT Provider to ensure that they were adhering to business security best practices as well as prove the IT Provider had adequate data breach insurance as well as have that outlined in some form of contract.

There are so many things going on here that are preventable.  Let’s start from the beginning.

HIPAA states that an IT Provider is a Business Associate.  As a Business Associate, a Covered Entity, in this case Cottage Health, would have to vet that vendor to ensure they are adhering to the regulation and responsibilities of and IT Provider Business Associate prior to signing any agreement for services.  It appears this wasn’t done.  In fact, Business Associate Review is rarely done, especially in small businesses.  Cottage health should be a cautionary tale as to why you need to do your due diligence with vendors before signing agreements.

In addition, Cottage should have signed a Business Associate Agreement (BAA) that clearly spells out what is covered in regards to financial responsibility in the event of a breach.  This is true across the board with all Business Associates.  Covered Entities are supposed to do this, yet I see BAA’s all the time that omit financially responsibility.  The whole point of a BAA is to make your Business Associate financially responsible in the event they cause a breach.  It appears that in this case, Cottage failed to do this and are paying the price.

I cannot impress upon you enough — check your BAA’s and make sure you aren’t accepting their risk.  This example with Cottage Health is the new reality.  Your insurance won’t cover your vendor’s mistakes.  It’s up to you to make them responsible before engaging in business with them.

On the topic of insurance, if you don’t have a specific policy for Data Breach with Cyberliabiltiy and CyberCrime with at least $500,000 in coverage, you should get it today.  Contact me for references if you need help.

This blog post is longer than most that I write, however, this is a story that hits home, not just because it involved an IT Provider, but because it also involves Business Associate Review, which is something that is a passion project of ours.  Cottage Health is suffering the consequences of not looking at the risks their Business Associates introduce to them.  Have you?