LOS ANGELES (CNS) -- The UC Regents allege in a new lawsuit that an insurer is wrongfully denying payment for millions of dollars in losses incurred after cyber attackers obtained access to parts of UCLA Health's computer network in 2014.
The regents filed the lawsuit Friday in Los Angeles Superior Court against Certain Underwriters at Lloyd's, London, alleging breach of contract and seeking unspecified compensatory damages.
Lloyd's has not honored its obligations under the cyber insurance policy signed with the regents in July 2014, repeatedly denying coverage for any losses related to the UCLA Health cyber breach based on its reading of a condition in the coverage that is contrary to California rules of policy interpretation, the suit states.
A Lloyd's representative did not immediately reply to a request for comment.
According to the complaint, the regents determined in May 2015 that the attackers may have accessed parts of the network that contain personal identifying information of UCLA Health patients, including names, addresses, dates of birth, Social Security numbers, medical record numbers, Medicare or health plan identification numbers and some medical information.
As part of its investigation, UC paid certain third parties to conduct forensic analyses of the UCLA Health network, in part to identify whether the incident had potentially exposed any personal identifying information, according to the suit, which also states that the regents hired a law firm to inform the regents regarding their notification obligations as well as another third party to provide those notices.
The regents notified the insurer of the breach in June 2015, the suit states. After UCLA Health announced the breach a month later, the regents were sued in 17 class-action lawsuits in Los Angeles Superior Court by then-current or former patients whose personal information was stored on the parts of the UCLA Health computer network potentially accessed by the cyber attackers, the suit states.
The patients said the regents failed to properly protect their personal data. The parties signed a settlement in February 2019 that required the regents to pay $2 million into a claims fund for class members affected by the incident and $5 million into a cybersecurity enhancement fund to address vulnerabilities that allegedly contributed to the breach, the suit states.
The settlement also obligated the regents to fund identity theft monitoring services for two years for interested class members, pay all settlement administration costs and class notification costs and pay the class plaintiffs' attorneys' fee award, according to the suit, which further states that preliminary approval was given to the accord in February 2019 and final approval in June of that year.
The regents have incurred substantial investigation and defense costs since the first case and continue to pay money because the settlement administration process is ongoing, the suit states. The regents also have been spending money to investigate and issue notifications to various federal and state regulators about the cyber breach and to respond to inquiries from some of the state regulatory agencies that received those notifications, according to the suit.
In a June 2017 letter, Lloyd's denied coverage under the policy for all losses incurred by UC to date in connection with the UCLA Health cyber breach, including the response costs and defense costs for the patient lawsuits, the suit states.
Copyright 2023, City News Service, Inc.