The University of California is suing a number of insurance firms for refusing to pay out on cyber policies nearly 10 years after hackers breached data on millions of patients at its health system.
The university’s board of directors, known as the regents, filed suit in the Superior Court for the State of California against various syndicates operating through the Lloyd’s of London insurance marketplace, claiming the school should have been covered by policies purchased before the incident. The regents allege the syndicates have refused to engage in dispute resolution by asserting that the statute of limitations applying to the claims had expired.
The cyberattack on the University of California Los Angeles Health system, disclosed in May 2015 and detected in late 2014, exposed sensitive data on around 4.5 million current and former patients. Victims sued UCLA Health in 2015 in multiple lawsuits, which were consolidated into a single action later that year, alleging the system failed to properly protect their private information.
UCLA Health settled that lawsuit in 2019 for $7.5 million and incurred additional costs related to incident response and providing identity protection for victims. The university filed insurance claims to recoup these expenses. The insurers, which the regents said they couldn’t name in the complaint, have refused every claim, saying that UCLA Health failed to satisfy cybersecurity requirements under the contract terms. The university denies that it didn’t meet cybersecurity requirements in the policies.
The University of California declined to comment. Lloyd’s didn’t respond to a request for comment.
The regents said they were forced to file the lawsuit after the syndicates declined to participate in alternative dispute resolution proceedings, as stipulated in the policy. The insurers said the statute of limitations for claims on the policy expired on June 7, 2021, the complaint said.
Sherilyn Pastor, head of the insurance coverage group at law firm McCarter & English, said that statutes of limitation are a fairly frequent issue with insurance disputes. She said companies should closely read their contracts and check if the deadlines for filing claims are shorter than those in state law.
Arguments between policyholders and insurers can drag on for years and run into limitations because assessing damages from an incident isn’t easy, she said.
“You may not actually know if you’ve sustained a loss by virtue of the breach until a later point, and so you need to know the law, because it may be that there is something that has happened that extends your period, or that the period isn’t even running yet,” Pastor said.
Insurers have faced a number of lawsuits stemming from cyberattacks, with some cases taking years to work their way through courts after the initial incident. Some relate to disputes over the handling of renewals and other areas, and many focus on what is or isn’t covered by a policy.
In May, a New Jersey court ruled that insurers must cover costs incurred by pharmaceutical giant Merck, after the company in 2017 fell victim to the NotPetya virus, which the U.S. has said was released by Russia. Moscow denies the allegations, but insurers argued that the incident fell under an exclusion for acts of war. Lloyd’s has since directed its syndicates to exclude catastrophic attacks launched by nation states from cyber policies.
Food producer Mondelez in November settled with its insurers over NotPetya damages totaling over $100 million, without disclosing terms.
“The challenge with insurance, at least from my perspective, is that what you’re really buying is the promise to pay at a later date,” said McCarter & English’s Pastor. “So the more that you can see up front, and understand what that promise is actually going to mean and look like, the better.”