Synopsis. The Ohio Supreme Court ruled last week that insurance coverage was not available to a cloud-based medical software provider because, under the applicable insurance policy, “[c]omputer software cannot experience ‘direct physical loss or physical damage’ because it does not have a physical existence.” While acknowledging that software is code-based, the court found that ransomware did not create the physical damage required under the insurance policy, exposing the company to the full costs of responding to the incident. As discussed further below, this decision illustrates how and why health care organizations should evaluate both their cyber risks and their response plans.
Health Care Cyber Risks. The final week of 2022 brought with it two reminders of the continued scourge of ransomware on the health care industry and the need for organizations to take careful steps to protect against cyber risks. On December 28, 2022, news appeared that the personal data of nearly 270,000 patients was accessed in an attempted ransomware attack on a Louisiana health care system. The cyber industry is now accustomed to these types of attacks, which are particularly debilitating and expensive—IBM’s 2022 Cost of a Data Breach report estimates that the cost of responding to the average breach in the health care industry exceeds $10 million. And the day before, the Ohio Supreme Court held that a medical software vendor was not covered by its insurance policy for a ransomware attack that encrypted its system files. The company provides cloud-based applications and billing services to single and multiprovider medical practices. The court’s analysis has significant relevance to health care providers’ evaluation of cyber risks, given the substantial efforts by many to transition critical technology to the cloud, including electronic medical record and billing applications.
EMOI Services, LLC v. Owners Insurance Company. The importance of appropriate insurance coverage is demonstrated by the Ohio Supreme Court’s December 27, 2022 decision in EMOI Services, LLC v. Owners Insurance Company, which addressed whether coverage for physical damage to media would include the medical software company’s losses from a ransomware attack. The ransomware attack encrypted the company’s computer systems and files needed for operating its software and database systems. The company ultimately paid the ransom and received a decryption key, although even then, it was reportedly unable to decrypt certain parts of its system. The company’s insurance policy included a rider for data compromise events, but that rider excluded coverage for costs arising from “any threat, extortion, or blackmail,” including “ransom payments.” Thus, the company apparently was unable to rely on that rider.
Instead, the company sought coverage under a different rider, the electronic-equipment endorsement to its policy, which provided coverage for direct physical loss or damage to “media,” defined (according to the court) as “materials on which information is recorded such as film, magnetic tape, paper tape, disks, drums, and cards” and “computer software and reproduction of data contained on covered media.” The trial court decided that the evidence showed no damage to the company’s software and databases from the encryption; Ohio’s intermediate appellate court disagreed and ruled that the company should have the opportunity to “prove that its media, i.e., its software, was in fact damaged by the encryption.” (It appears that there was no dispute that the hardware computer components were not damaged, just the information and software stored in and accessible through those components.)
This left the Ohio Supreme Court with the final word. That court determined the endorsement required direct physical damage to, or loss of, media—“media,” the court decided, “that has a physical existence.” And because (to the court) electronically stored information is “entirely intangible,” it and the computer software that comprise electronically stored information “does not have a physical existence,” and so, computer software cannot sustain physical damage without physical damage to the hardware on which the software is stored.
Practical Considerations. This decision illustrates the questions facing health care organizations. For example:
- Have organizations evaluated the probable cyber risks to their businesses, and the businesses of their suppliers, vendors and others with whom they share information?
- Have organizations appropriately contracted with cloud vendors to ensure that cyber and privacy risks are appropriately addressed and clarified?
- Do organizations have the appropriate portfolio of insurance coverage to protect against those risks?
- For organizations relying on services provided off-site (such as cloud tenancies), can they even evaluate the appropriate coverage if they cannot know whether they have a physical machine or a virtual machine on the other side of the wire?
These are open questions that will be answered over time as more software and applications move to the cloud and cyber risks evolve rapidly. But the EMOI decision reinforces these points:
(1) Health care organizations and others must deploy a combination of appropriate technical controls and governance, conduct appropriate diligence during contracting and thereafter, and—if the parties contract for liability shifting or minimum insurance coverage (which continues to be common)—carry appropriate insurance coverage to protect against the impact of a successful attack and the required response.
(2) Health care organizations and others that require their suppliers and vendors to maintain cybersecurity insurance will need to closely evaluate the coverage they are requiring to ensure that it protects against probable risks.
(3) Relying solely on third-party vendors’ insurance coverage often is not sufficient to mitigate privacy and security risk; rather, active and ongoing diligence and a review of technical, policy and governance controls are critical to onboarding and maintaining third-party suppliers in order to identify and mitigate any risks.