DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Medical billing service seeking insurance coverage for ransomware attack among upcoming Ohio Supreme Court cases

Posted on July 30, 2022 by Dissent

Operating in an increasingly digital economy means businesses face a growing threat from cybercriminals looking to hold computer operating systems hostage until a ransom is paid. Businesses that suffer from such crimes have turned to their “all risk” insurance policies for assistance.

Next week, the Supreme Court of Ohio will consider whether a Dayton-area company’s insurance policy, with its three additional “endorsements” to cover its electronic equipment and computers, will pay for the damages from a ransomware attack.

Ransomware is malicious software that gains remote access to a computer device or network and encrypts the computer system or files, preventing access. A ransom payment demand is made to regain access.

The parties in the case say many courts around the nation have heard disputes regarding business insurance coverage for ransomware attack claims, but this is the first time the Supreme Court of Ohio will address the issue. It has drawn national interest through groups filing amicus curiae briefs in the case.

Ransomware attacks have been on the rise for a decade, industry analysts report, but the intrusions went into overdrive at the height of the COVID-19 pandemic. In a joint brief from the Ohio Insurance Institute and the American Property Casualty Insurance Association, the groups note that between July 2020 and July 2021, ransomware attacks have increased from about 13,992 per week to 149,157 per week. Business service providers are among the top targets of the attacks, the insurer groups stated.

The insurance industry has developed policies to cover certain cybercrimes, and cybercrime claims are rapidly shifting to ransomware attacks. The insurer groups note that between 2014 and 2019, more than half of all cybercrime insurance claims were for data theft. Only about 13 percent of the claims were reported for ransomware attacks. In 2020, 54 percent of all claims were for ransomware or malicious software attacks, the groups noted.

EMOI Services, which provides medical billing services and support to medical providers, experienced a ransomware attack in September 2019. EMOI learned a hacker was demanding three bitcoin — at the time worth about $35,000 — to provide a “decryption key” that would allow the company to restore its operations. EMOI agreed to pay the ransom, and within a day, the company was able to partially restore its system to point that it could serve its clients.

EMOI filed a claim with Owners Insurance Company. The company’s IT manager told the Owners Insurance claims adjuster the data was not “physically damaged,” but was inaccessible because the hacker encrypted it. The adjuster denied EMOI’s claim, noting that the policy addressed the “direct physical loss or damage to ‘media,’” and only paid for software repair if the tangible media, such as disk, film or magnetic tape, was physically damaged.

EMOI filed a breach-of-contract lawsuit in Montgomery County Common Pleas Court, arguing the adjuster didn’t understand that the software was damaged by the attack. In 2021, the trial court granted summary judgment to Owners Insurance, stating the situation was a “data compromise” rather than physical damage to electronic equipment. EMOI’s insurance policy had coverage for a “data compromise,” but that endorsement specifically excluded coverage for extortion, blackmail, or ransom payments, the court concluded.

EMOI appealed to the Second District Court of Appeals, which reversed the trial court’s decision. Owners Insurance appealed to the Supreme Court.

Owners Insurance argues the business property insurance policy covers the “direct physical loss of, or damage to, covered property,” which courts have ruled to mean structural damage to tangible property. Separate policies concerning cybercrimes are available, and EMOI chose not to purchase such coverage, the insurer asserts. A traditional property policy covers tangible items, such as computers, and shouldn’t be interpreted to cover interruptions of software use, the insurer claims.

Owners Insurance maintains that EMOI’s losses were like a person forgetting a password to an online bank account. A person’s money isn’t “damaged” when the password isn’t working, but rather the account holder only lost access to the money until access is regained.

EMOI counters this isn’t a case about business insurance in general, but rather the specific additional coverages it bought to protect itself. Its policy from Owners Insurance includes coverage for computer software contained on covered property. EMOI says its software was located on servers damaged by the attack.

EMOI argues the loss wasn’t like a misplaced password. Once the company recovered access, it could provide services to clients, but the hacker damaged the software. The cost to fix the damage to the software should be covered by the policy, the company concludes.

The Court will hear EMOI Services v. Owners Insurance Company and two other appeals on Aug. 2. Arguments begin at 9 a.m. and streamed live online at sc.ohio.gov and on the Ohio Channel, where they are also available for later viewing.

• A patient sued his Cincinnati back surgeon after a March 2010 surgery. The patient is one of hundreds who have filed lawsuits against the doctor, who left the country in late 2013. In Elliot v. Durrani et al., the patient argues a four-year deadline for filing his medical claims was extended because the doctor left the country. The doctor responds that the timeframe for filing a medical lawsuit can be extended only for the exceptions stated in the law that sets the deadline. Leaving the state isn’t one of the exceptions listed, so the deadline can’t be extended, the doctor asserts.

• An electric company is planning to upgrade a 50-year-old electric line in Washington County between two power facilities. A state agency determined that the project was necessary and would serve the public interest. The company needs easements from multiple property owners to rebuild the line, which crosses their properties. In Ohio Power Company v. Burns, the company sued to assert eminent domain to secure the easements from some landowners. The company maintains that to use eminent domain, Ohio law requires the overall project to be necessary. However, each easement for the landowners doesn’t need to be reviewed, the company contends. The landowners argue the easements must be evaluated to assess whether what is being taken is more than is necessary for the public use. Nine groups submitted amicus briefs in the case.

Source: Dan Trevas, Ohio Supreme Court Office of Public Information, courtnewsohio.gov, via The Highland County Press.

Category: Commentaries and AnalysesMalware

Post navigation

← Cyberattacks on satellites may only be getting more worrisome
Thai entities continue to fall prey to cyberattacks and leaks →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Masimo Manufacturing Facilities Hit by Cyberattack
  • Education giant Pearson hit by cyberattack exposing customer data
  • Star Health hacker claims sending bullets, threats to top executives: Reports
  • Nova Scotia Power hit by cyberattack, critical infrastructure targeted, no outages reported
  • Georgia hospital defeats data-tracking lawsuit
  • 60K BTC Wallets Tied to LockBit Ransomware Gang Leaked
  • UK: Legal Aid Agency hit by cyber security incident
  • Public notice for individuals affected by an information security breach in the Social Services, Health Care and Rescue Services Division of Helsinki
  • PowerSchool paid a hacker’s extortion demand, but now school district clients are being extorted anyway (3)
  • Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The App Store Freedom Act Compromises User Privacy To Punish Big Tech
  • Florida bill requiring encryption backdoors for social media accounts has failed
  • Apple Siri Eavesdropping Payout Deadline Confirmed—How To Make A Claim
  • Privacy matters to Canadians – Privacy Commissioner of Canada marks Privacy Awareness Week with release of latest survey results
  • Missouri Clinic Must Give State AG Minor Trans Care Information
  • Georgia hospital defeats data-tracking lawsuit
  • No Postal Service Data Sharing to Deport Immigrants

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.