On March 31, Compumedics Limited, a medical device company involved in the development, manufacture and commercialization of diagnostics technology for the sleep, brain and ultrasonic blood-flow monitoring applications, confirmed that they were the victim of a ransomware attack after unusual activity was detected on its IT network. In the company’s press release, they disclosed that the incident impacted the data on some of their systems in Australia and the United States.
VanHelsing, a ransomware-as-a-service operation, shared limited details about the breach in a March 26 post, along with a countdown to publication of the alleged stolen data. VanHelsing has not indicated the volume of data it claims to have stolen, nor a ransom demand, but did allege to have several passport scans belonging to staff in the company’s U.S. office, credit application forms, product and testing data, purchase orders, and other employee data.
We are expecting a number of healthcare clients of ours that use Compumedics as a vendor to instruct Willis to report notices of circumstances to their cyber insurance carrier while Compumedics investigates the extent of the breach and determines exactly whose data was compromised.
This incident, once again, underscores the risks organizations across a wide range of industries face from third-party relationships. Despite having strong internal security measures, firms can still be vulnerable if their partners are compromised. Incidents like this also serve as a reminder to organizations to make sure they have adequate first and third-party cyber coverages in place, including, but not limited to coverage for privacy and security liability, data incident response expenses and dependent business interruptions. Given that the scope of dependent business interruption coverage can vary significantly from one policy to the next, it’s imperative for organizations to work with their broker to maximize coverage in this key area. Potential systemic loss coverage limitations should also be reviewed and evaluated carefully.
If you use Compumedics as a vendor, but are not yet sure if your organization has been impacted by this incident, consult with your Willis claims advocate to determine whether proactively issuing a notice of circumstance is the right course of action.
WTW hopes you found the general information provided here informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, WTW offers insurance products through licensed entities, including Willis Towers Watson Northeast, Inc. (in the United States) and Willis Canada Inc. (in Canada).
