Breaches of patient data can be very expense as was pointed out in this article about BlueCross BlueShield of Tennessee. So far the remediation costs of the data breach are up to $7 million. So the big question is who pays for the remediation costs? Many medical facilities have liability insurance and there are insurance policies that can be purchased to cover the cost of HIPAA violations.
There is a very interesting case involving the University of Utah, as noted in this Dark Reading article.
According to news reports, Colorado Casualty Insurance Co. last week asked a judge to rule that it is not liable to pay a $3.3 million claim filed by its client, Perpetual Storage, after a burglar stole backup tapes containing the personal records of 1.7 million University of Utah medical patients from a Perpetual employee’s car.
The request for a ruling is in response to a lawsuit filed in April by the University of Utah, which is seeking reimbursement from Perpetual Storage and its insurers for the $3.3 million it spent to remediate potential security problems caused by the theft of the backup tapes in 2008.
At issue is who should pay those $3.3 million remediation costs: the University of Utah, which owns the patient data; Perpetual Storage, which violated policy by leaving the university’s backup tapes in a car while in transit to a secure facility; or Perpetual Storage’s insurance company, which issued a policy to protect Perpetual from costs arising from a data breach.
The case is very interesting because the data breach was the result of a stolen backup tape from a Business Associates employee’s car. The University of Utah wants to be reimbursed for the $3.3 million that it spent to remediate the data breach. Perpetual Storage, the Business Associate, wants it insurer the Colorado Casualty Insurance Co. to pay for the costs. The Colorado Casualty Insurance Co. is asking the courts to rule that it is not liable to pay the $3.3 million.
The outcome of the case will may set standards for exactly who pays for remediation costs. No matter what the outcome of the case is, now would be a good time to start discussing with your insurance provider what your liability insurance covers and what it doesn’t cover. As you can see, data breaches can be very expensive and knowing what your coverage is and ensuring that your have the appropriate coverage is critical. You don’t want to start having these conversations AFTER a data breach has occurred.
Related posts:
