Insurer refutes liability on $3.3 million data breach

The Colorado Casualty Insurance Co. has filed a lawsuit in Utah claiming that it is not liable for reimbursing the university for $3.3 million in costs related to a 2008 data breach caused by a third-party service provider.

Reporting on the precedent-setting suit, the Computerworld newswire notes that the nine-page complaint – which seeks a declaratory judgement from the court – "offers little explanation as to why exactly the insurer believes it is not obligated to pay the breach related costs sought by the university."

In June 2008, the University of Utah Hospitals & Clinics notified around 2.2 million patients and guarantors of the theft of backup tapes containing billing data.

The data lost in breach, which affected everyone treated at the Salt Lake City-based centre over the preceding 16 years, included names and related demographic information, diagnostic codes and social security numbers for a large number of individuals.

The university says it sent a letter of notification to all affected individuals, established a toll-free support line and offered a year's free credit monitoring services and identity theft insurance for the 1.3 million individuals affected.

Infosecurity notes that the billing tapes were stolen from the personal car of a driver at Perpetual Storage, a local company that stored the university's tapes in an off-site vault.

At the time, the university said that the driver violated company protocols by not using a secure company van and left the tapes in his car overnight instead of delivering them to the vault. Although the disks were recovered a short time later, the university says it still spent more than $3.3 million on remediating the problems.

The Computerworld newswire quotes Christopher Nelson, a university spokesperson as saying that the university would be "very disappointed" if a judge ruled in favour of the insurance company's complaint.

In that case, he says, the university will consider other avenues, which could include filing a lawsuit against Perpetual or its insurance agent, to recover the money.

What’s Hot on Infosecurity Magazine?