Insurer Denies Reimbursement to U. of Utah in Data Breach

A Colorado insurance company says it is not responsible for reimbursing the University of Utah for a $3.3-million data breach.

Colorado Casualty Insurance Co. has filed a lawsuit in U.S. District Court in Utah against Perpetual Storage, the provider responsible for housing the university’s data, claiming that it is not obligated under its policy with the company to cover its costs in the incident.

Data tapes stolen in 2008 contained information about 1.7 million patients at the University of Utah’s hospitals and clinics, including addresses and social security numbers. The university sought $3.3-million from Perpetual Storage, the provider responsible for housing the school’s data, for incident-related costs.

Rodney Petersen, security task force coordinator at Educause, said he sees a growing trend of universities trusting data to third parties. Although the security risks essentially remain the same, he said, it leaves universities vulnerable to such confusions over liability.

“The risk is the unknown, or the uncertainty, because of the loss of control beyond the institution itself,” he said.

The University of Utah says it spent $3.3-million in patient notification costs, telephone bills, credit-monitoring expenses, and other miscellaneous costs. After the data security breach, the university set up a toll-free support line for handling questions and concerns. It also offered a year of free credit monitoring to all patients whose social security numbers had been compromised.

Christopher Nelson, a spokesman for the University of Utah Health Care and Health Sciences, told Computerworld that the university would be “very disappointed” if Colorado Casualty won its lawsuit. It would then consider suing Perpetual Storage for reimbursement.

Return to Top