DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Medical billing service seeking insurance coverage for ransomware attack among upcoming Ohio Supreme Court cases

Posted on July 30, 2022 by Dissent

Operating in an increasingly digital economy means businesses face a growing threat from cybercriminals looking to hold computer operating systems hostage until a ransom is paid. Businesses that suffer from such crimes have turned to their “all risk” insurance policies for assistance.

Next week, the Supreme Court of Ohio will consider whether a Dayton-area company’s insurance policy, with its three additional “endorsements” to cover its electronic equipment and computers, will pay for the damages from a ransomware attack.

Ransomware is malicious software that gains remote access to a computer device or network and encrypts the computer system or files, preventing access. A ransom payment demand is made to regain access.

The parties in the case say many courts around the nation have heard disputes regarding business insurance coverage for ransomware attack claims, but this is the first time the Supreme Court of Ohio will address the issue. It has drawn national interest through groups filing amicus curiae briefs in the case.

Ransomware attacks have been on the rise for a decade, industry analysts report, but the intrusions went into overdrive at the height of the COVID-19 pandemic. In a joint brief from the Ohio Insurance Institute and the American Property Casualty Insurance Association, the groups note that between July 2020 and July 2021, ransomware attacks have increased from about 13,992 per week to 149,157 per week. Business service providers are among the top targets of the attacks, the insurer groups stated.

The insurance industry has developed policies to cover certain cybercrimes, and cybercrime claims are rapidly shifting to ransomware attacks. The insurer groups note that between 2014 and 2019, more than half of all cybercrime insurance claims were for data theft. Only about 13 percent of the claims were reported for ransomware attacks. In 2020, 54 percent of all claims were for ransomware or malicious software attacks, the groups noted.

EMOI Services, which provides medical billing services and support to medical providers, experienced a ransomware attack in September 2019. EMOI learned a hacker was demanding three bitcoin — at the time worth about $35,000 — to provide a “decryption key” that would allow the company to restore its operations. EMOI agreed to pay the ransom, and within a day, the company was able to partially restore its system to point that it could serve its clients.

EMOI filed a claim with Owners Insurance Company. The company’s IT manager told the Owners Insurance claims adjuster the data was not “physically damaged,” but was inaccessible because the hacker encrypted it. The adjuster denied EMOI’s claim, noting that the policy addressed the “direct physical loss or damage to ‘media,’” and only paid for software repair if the tangible media, such as disk, film or magnetic tape, was physically damaged.

EMOI filed a breach-of-contract lawsuit in Montgomery County Common Pleas Court, arguing the adjuster didn’t understand that the software was damaged by the attack. In 2021, the trial court granted summary judgment to Owners Insurance, stating the situation was a “data compromise” rather than physical damage to electronic equipment. EMOI’s insurance policy had coverage for a “data compromise,” but that endorsement specifically excluded coverage for extortion, blackmail, or ransom payments, the court concluded.

EMOI appealed to the Second District Court of Appeals, which reversed the trial court’s decision. Owners Insurance appealed to the Supreme Court.

Owners Insurance argues the business property insurance policy covers the “direct physical loss of, or damage to, covered property,” which courts have ruled to mean structural damage to tangible property. Separate policies concerning cybercrimes are available, and EMOI chose not to purchase such coverage, the insurer asserts. A traditional property policy covers tangible items, such as computers, and shouldn’t be interpreted to cover interruptions of software use, the insurer claims.

Owners Insurance maintains that EMOI’s losses were like a person forgetting a password to an online bank account. A person’s money isn’t “damaged” when the password isn’t working, but rather the account holder only lost access to the money until access is regained.

EMOI counters this isn’t a case about business insurance in general, but rather the specific additional coverages it bought to protect itself. Its policy from Owners Insurance includes coverage for computer software contained on covered property. EMOI says its software was located on servers damaged by the attack.

EMOI argues the loss wasn’t like a misplaced password. Once the company recovered access, it could provide services to clients, but the hacker damaged the software. The cost to fix the damage to the software should be covered by the policy, the company concludes.

The Court will hear EMOI Services v. Owners Insurance Company and two other appeals on Aug. 2. Arguments begin at 9 a.m. and streamed live online at sc.ohio.gov and on the Ohio Channel, where they are also available for later viewing.

• A patient sued his Cincinnati back surgeon after a March 2010 surgery. The patient is one of hundreds who have filed lawsuits against the doctor, who left the country in late 2013. In Elliot v. Durrani et al., the patient argues a four-year deadline for filing his medical claims was extended because the doctor left the country. The doctor responds that the timeframe for filing a medical lawsuit can be extended only for the exceptions stated in the law that sets the deadline. Leaving the state isn’t one of the exceptions listed, so the deadline can’t be extended, the doctor asserts.

• An electric company is planning to upgrade a 50-year-old electric line in Washington County between two power facilities. A state agency determined that the project was necessary and would serve the public interest. The company needs easements from multiple property owners to rebuild the line, which crosses their properties. In Ohio Power Company v. Burns, the company sued to assert eminent domain to secure the easements from some landowners. The company maintains that to use eminent domain, Ohio law requires the overall project to be necessary. However, each easement for the landowners doesn’t need to be reviewed, the company contends. The landowners argue the easements must be evaluated to assess whether what is being taken is more than is necessary for the public use. Nine groups submitted amicus briefs in the case.

Source: Dan Trevas, Ohio Supreme Court Office of Public Information, courtnewsohio.gov, via The Highland County Press.

Category: Commentaries and AnalysesMalware

Post navigation

← Cyberattacks on satellites may only be getting more worrisome
Thai entities continue to fall prey to cyberattacks and leaks →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • ConnectWise suspects cyberattack affecting some ScreenConnect customers was state-sponsored
  • Possible ransomware attack disrupts Maine and New Hampshire Covenant Health locations
  • HHS OCR Settles HIPAA Security Rule Investigation of BayCare Health System for $800k and Corrective Action Plan
  • UK: Two NHS trusts hit by cyberattack that exploited Ivanti flaw
  • Update: ALN Medical Management’s Data Breach Total Soars to More than 1.8 Million Patients Affected
  • Russian-linked hackers target UK Defense Ministry while posing as journalists
  • Banks Want SEC to Rescind Cyberattack Disclosure Requirements
  • MathWorks, Creator of MATLAB, Confirms Ransomware Attack
  • Russian hospital programmer gets 14 years for leaking soldier data to Ukraine
  • MSCS board renews contract with PowerSchool while suing them

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Home Pregnancy Test Company Wins Dismissal of Pixel Wiretapping Suit
  • The CCPA emerges as a new legal battleground for web tracking litigation
  • U.S. Spy Agencies Are Getting a One-Stop Shop to Buy Your Most Sensitive Personal Data
  • Period Tracking App Users Win Class Status in Google, Meta Suit
  • AI: the Italian Supervisory Authority fines Luka, the U.S. company behind chatbot “Replika,” 5 Million €
  • D.C. Federal Court Rules Termination of Democrat PCLOB Members Is Unlawful
  • Meta may continue to train AI with user data, German court says

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.