Cyber insurance policies can help to cover the cost of losses from ransomware attacks, but these policies are becoming more difficult to obtain. Insurers are tightening their requirements for obtaining policies and many insurers are placing limits on underwriting amounts. Premiums are also skyrocketing, putting policies out of the reach of many healthcare organizations, if insurance can even be obtained. There has been further bad news this week for healthcare organizations that have been unable to obtain cyber insurance, as the Ohio Supreme Court has recently ruled that ransomware attacks do not constitute physical damage, which means claims cannot be made against property insurance policies.
The decision ends a 3-year court battle between the medical billing software developer, EMOI, and its insurer, Owners Insurance Company. EMOI suffered a ransomware attack in September 2019 and paid the ransom demand of $35,000 to regain access to its files. EMOI also invested in upgrades to its security infrastructure to prevent further attacks. The ransomware gang provided the keys to decrypt data and most files could be recovered; however, it was not possible to decrypt its automated phone call system, which had to be replaced.
EMOI submitted a claim to its against its property insurance policy to try to recover the losses, but the claim was rejected. EMOI then took legal action against Owners as the insurance policy covered direct physical loss to digital media. Owners maintained that the ransomware attack did not have a physical dimension, so was therefore not covered by the insurance policy, and that the policy excluded ransomware losses.
In November 2021, an Ohio Appellate Court ruled in favor of EMOI and allowed a claim against the insurer for treating EMOI in bad faith, by failing to fully consider the various types of damage that can occur to media such as software; however, all seven of the Ohio Supreme Court justices sided with Owners, and issued a summary judgment dismissing the EMOI lawsuit.
EMOI had argued that computer software falls under the category of “media” that can be damaged, even though software is non-physical, so the losses should therefore be covered by the insurance policy even though there was no damage to hardware. The Supreme Court justices were not persuaded by that argument, ruling that “The most natural reading of the phrase “direct physical loss of or damage to” is that EMOI is insured for direct physical loss of its media and insured for direct physical damage to its media.
While the term “computer software” is included within the definition of “media”, the justices ruled that computer software was only included insofar as the software is contained on covered media, and that covered media means the media has a physical existence. Since there was no direct physical loss or physical damage to the covered media containing the computer software, the losses were not covered under the policy. Further, computer software cannot experience direct physical loss or physical damage because it does not have a physical existence.
The post Lawsuit Seeking Property Insurance Cover for Ransomware Attack Fails appeared first on HIPAA Journal.