A legal battle that spanned years is finally coming to a close.
What happened
Merck & Co., a large pharmaceutical company headquartered in New Jersey, was one of the victims of an international cyberattack.
The attack, conducted by malware organization NotPetya, initially infected Ukrainian accounting software in June of 2017 and went on to impact approximately 65 countries. The malware worked by infiltrating Microsoft systems that lacked a specific security patch. After that, it encrypted user data and demanded a ransom, although paying the ransom did not result in the data being returned.
At the time, the US government condemned Russia for the attack. Russia initially targeted Ukraine, but the worm-like malware spread with lightning speed.
According to an annual report, Merck had to pay $915 million to restore software and operations. The attack impacted its formulating and packing systems, among other operations. Restorations were mostly complete by 2018. After the attack, Merck engaged in a lengthy battle with insurers.
What’s new
Insurers of Merck & Co. weren’t eager to help cover the losses; they argued that the attacks, with their widespread nature and intent to impact specific countries, were akin to an act of war. Acts of war were excluded from the insurance policy with Merck, which is typical in most agreements.
Many insurers settled fairly quickly, but eight held onto the argument. The case was taken to the New Jersey appeals court, which ultimately ruled in May of 2023 that the NotPetya attack did not constitute an act of war.
Insurers planned to escalate the case further; the New Jersey Supreme Court was due to review it in early January.
Instead, Merck & Co. settled just before the review. The exact terms are confidential, but Merck has alleged a $1.4 billion loss from the cyber attack.
Why it matters
The case was unique because it could set a new precedent for what is considered an act of war in these policies. Spanning years, Merck and insurers were eager to reach an amicable settlement, successfully evading a New Jersey Supreme Court review.
Yet, as cyberattacks continue to mount in frequency and severity, this issue could arise again. Large companies like Merck were able to continue operations despite financial challenges. Smaller companies hit by cyberattacks may not be as fortunate.
When healthcare companies cannot operate, the effect is ultimately felt by patients. We expect the courts, providers, and insurers will continue debating this topic.
The bottom line
Now that Merck has recovered and settled the case, the organization has stated it plans to do as much as possible to avoid future attacks. In filings, the company said it is taking new measures to guard against future attacks and to “improve the speed of the company’s recovery from such attacks and enable continued business operations to the greatest extent possible during any recovery period.”
Many companies know the best way to prevent costly legal battles and operational expenses is to prevent attacks before they can begin.
Organizations can worry less about security and focus on patients by working with a trusted HIPAA compliant email service.
Related: HIPAA Compliant Email: The Definitive Guide
Abby Grifno
