Ok this is not a small physician’s office who incurred the breach, which was solved and records returned, but in the meantime protection had to be offered to the tune of $2.5 million dollars in fees. The University of Utah is now tied up in court trying to get the carrier of the courier company to cover it.
The courier service who has a contract for storing records made the error in leaving the magnetic tapes in a box where it was stolen from the car. Perpetual, the company providing the storage service for the sensitive records of course no longer a contractor had insurance to cover this and their insurers are the parties who are not paying. Colorado Casualty Insurance is the one refusing to pay to cover the vendor. In the meantime, recovering cost by the University is at a loss.
This is an ugly battle by all means, but if you don’t get anything else from reading this, look at the big cost involved with security breaches and do all you can to avoid them. Prevention is a lot cheaper than the bill in question here. BD
A Colorado insurance company contends it is not obligated to cover astronomical costs incurred by the University of Utah in 2008 after car burglars stole medical billings records filed with sensitive personal information on 1.7 million patients.
U. officials want Perpetual Storage to reimburse the university more than $3.3 million. That's how much the school spent notifying patients of the theft and providing credit monitoring to any who asked, according to a suit filed by the firm's insurer, Colorado Casualty Insurance Co., in U.S. District Court.
The insurer insists the claim is not covered by Perpetual's policy and is seeking a judicial ruling to support its position.
In violation of company policies, a Perpetual courier left electronic U. patient records, stored on magnetic tapes and secured in a metal box, in his personal vehicle overnight in June 2008, police reported. Thieves broke into the car, parked outside a Kearns residence, and made off with the box, whose contents covered 16 years worth of hospital and clinic billings. The records were filled with Social Security numbers, dates of birth and procedure codes that tech-savvy criminals could use to steal patients' identities.
The heist earned the two culprits jail sentences and restitution limited to the $500 value of the metal box. But the crime was not solved in time to spare the U. the obligation of contacting thousands of patients.
According to the insurer's suit, the U. claims it generated 6,232 in personnel hours responding to "the Incident" and spent $646,149 on printing and mailing costs and another $81,389 on a phone bank to field more than 11,000 calls over two weeks. But the big hit was nearly $2.5 million for credit-monitoring services for those whose Social Security numbers could have been poached.