Medical Billing Service Needs Insurance for Ransomware Attack

Court considers whether business insurance covers ransomware ransom costs

Court considers whether business insurance covers ransomware ransom costs

Operating in an increasingly digital economy means businesses face an increased threat from cybercriminals looking to hold computers until a ransom is paid. Businesses suffering from such crimes have turned to their “all risk” insurance policies to help them.

Next week, the Supreme Court in Ohio will consider whether the Dayton-area company’s insurance company, with its three “authorized” additions to its electronic equipment and computers, will pay damages due to the ransom ransom. Ransomware is malicious software that gains access to a computer or the Internet and encrypts computer systems or files, preventing access. The need for ransom payments is made to regain access.

The parties in the case say that many courts in the country have heard disputes involving business insurance for ransom claims, but this is the first time the Ohio Supreme Court has addressed the issue. It has attracted national attention through groups filing amicus curiae briefs in the case.

Ransomware attacks have been on the rise for a decade, industry analysts say, but intrusions peaked during the COVID-19 pandemic. Briefly sourced Ohio Insurance Institute and American Property Casualty Insurance Association, the groups note that between July 2020 and July 2021, ransomware attacks have increased from 13,992 per week to 149,157 per week. Business agents are among the most vulnerable, insurance groups said.

Insurance companies have created policies to prevent certain cybercrimes, and cybercrime claims are quickly shifting to ransomware attacks. Insurance groups note that between 2014 and 2019, more than half of all online insurance claims were data theft. Only about 13% of those claims were about ransomware attacks. In 2020, 54% of all claims were about ransomware or malicious software attacks, the groups noted.

Service Provider Needs Protection From Intrusion
EMOI Services, which provides medical services and support to healthcare providers, faced a ransom in September 2019. EMOI learned that the hacker was seeking three bitcoins – at the time about $35,000 – to provide a “decryption key” that would allow the company. restore his works. EMOI agreed to pay the ransom, and within a day, the company was able to partially restore its system to serve its customers.

EMOI filed a complaint with the Owners Insurance Company. The company’s IT manager told Owners Insurance adjusters that the data was “not compromised,” but it was impossible because the hacker encrypted it. The developer disputed EMOI’s claims, saying that the policy covered “direct loss or damage to ‘media,'” and only paid for software repairs if the tangible media, such as disk, film, or magnetic tape, were physically damaged.

EMOI filed a breach of contract lawsuit in Montgomery County Common Pleas Court, arguing that the developer did not understand that the software was damaged by the attack. In 2021, a federal court granted summary judgment to Owners Insurance, saying it was a “data breach” and not damage to electronic equipment. EMOI’s insurance policy contained a “data compromise,” but the agreement did not include fraudulent, fraudulent, or ransom payments, the court said.

EMOI appealed to the Second Court of Appeal, which overturned the court’s decision. Owners Insurance appealed to the Supreme Court.

Supreme Court Considers Legal Terms
Owners Insurance argues that business property insurance covers “direct loss, or damage to property,” which courts have ruled to mean damage to tangible property. Different policies on cybercrime are available, and EMOI chose not to buy these, said the insurer. The traditional property policy covers tangible things, such as computers, and should not be interpreted to interfere with the use of software, insurers say.

Owners Insurance covers the loss of EMOI if someone forgets the password to an online banking account. A person’s account is not “lost” when the password does not work, but the owner of the account has lost access to the account until it can be recovered.

EMOI calculates that this is not a case of insurance for many businesses, but some extras that they bought to protect themselves. Its policy from Owners Insurance includes the provision of computer software on the covered property. EMOI says its software was on servers damaged by the attack.

EMOI argues that the loss was not like a wrong password. Once the company gets access, it can provide services to customers, but the hacker has compromised the software. The cost of repairing the damage to the software should be covered by the policy, the company concludes.

Check out Oral Discussions Online
The court will hear EMOI Services v. Owners Insurance Company and two other complaints on Aug. 2. The debates start at 9 o’clock and will be shown online at sc.ohio.gov and on Ohio Channelwhere they are also available for later viewing.

The Court’s Office of Public Information has released detailed information today on each case, which is available via the case name links.

Medical Requirements
A patient sued his Cincinnati doctor after a March 2010 operation. The patient is one of hundreds of people who have sued the doctor, who left the country in late 2013. Elliot v. Durrani and al., the patient says the four-year deadline to file his medical claims was extended because the doctor left the country. The doctor answers that the time to submit a medical case can be extended only if it is stated in the law that establishes the deadline. Leaving the state is not one of the things mentioned, so the deadline cannot be extended, said the doctor.

Eminent Domain
A power company plans to repair a 50-year-old power line in Washington County between two power utilities. A government agency felt that the project was important and would help the people. The company is seeking concessions from several property owners to rebuild the line, which runs through their property. In Ohio Power Company v. Burns, the company sued to claim ownership of the domain to protect other domain owners. The company also says that to use eminent domain, Ohio law requires that the entire project be necessary. However, any easement for property owners should not be reviewed, the company argues. Landowners argue that easements should be tested to see if what is being taken is more than what should be used by the public. Nine groups submitted amicus briefs in the case.