In late 2017, an insured discovered that an unidentified third party had launched a ransomware attack on a subsidiary company.

It was discovered that although the ransomware was initially launched against the subsidiary it had subsequently spread to the parent company’s corporate servers. In total, 49 servers were affected. With the help of an outside IT vendor, the insured was able to restore most of the facility and corporate servers from back-ups without paying the ransom demand, with only one server remaining inaccessible for a short period of time. Limited business interruption occurred due to the quick work of the insured and outside vendors.

Taking into consideration the US Department of Health and Human Services’ view of ransomware with regard to healthcare entities, with the consent of the underwriters, the insured and subsidiaries were referred to breach counsel for further guidance and advice on how to handle the incident. Forensics were later engaged to conduct a review to ensure there was no continued outside access and that no information had been exfiltrated or otherwise compromised, in order to establish whether notification would be required. On further investigation, all parties were satisfied that no notification would be needed.