The Ohio Supreme Court ruled in favor of an insurance company, determining that its contract to cover any direct physical loss or damage to property did not encompass ransom payments made when a hacker illegally gained access to medical billing software company EMOI’s systems and data.
The incident happened back in 2019 when cybercriminals managed to breach into the software provider which assists medical practices with booking appointments, keeping records and payment management.
The cybercriminals extorted EMOI with a request of three bitcoins worth around $35,000 at the time in order to return its data. After complying and paying their ransom, they were able to regain control over most of their stolen information. To be better protected against future attacks, EMOI improved its network security and process; however, Owners Insurance Company—which wrote the policy— denied the claim for any damages sustained during the breach.
The Supreme Court carefully examined whether the defense against “direct physical harm to property” covers losses caused by threats to data, such as software, and not just damage that is done on tangible items like computers. The justices then unanimously overturned a lower court’s ruling after concluding that software is an intangible item that cannot experience any direct physical deficit or destruction.