Merck settles with insurance companies over $1.4B claim tied to 2017 cyberattack: report

Merck has reportedly settled with insurance companies that contested the pharma giant’s $1.4 billion claim after it was victimized by a crippling cyberattack in 2017.

With the settlement—terms of which were not disclosed—the insurance companies avoided a ruling that would have provided a precedent for other cases involving insurance claims related to other state-led cyberattacks, Bloomberg Law reports.

Six Russian military intelligence officers were eventually charged by the United States in the “NotPetya” ransomware cyberattacks, which targeted accounting software developed by a Ukrainian company that was used by Merck and several other companies. Malware infected more than 40,000 computers in Merck’s global network.  

A group of insurance companies invoked a “hostile/warlike action” clause, claiming that any state-backed action that “reflects ill will or a desire to harm” should exempt them from providing coverage. After Merck retaliated with a lawsuit in 2018, a New Jersey court rejected the insurance companies’ argument in 2022, saying the clause should only apply to armed conflicts.

In May of last year, a New Jersey appellate court sided (PDF) with Merck again after eight insurance companies disputed $700 million of the coverage. A second appeal of that verdict was due for oral arguments this week before the parties settled, according to Bloomberg Law.

Representatives for the Merck didn't immediately respond to a request for comment.

Beyond the Merck case, the healthcare industry remains a top target for cyberattacks. Last year, German biotech Evotec had to shut down its network to cope with a cyberattack, while India’s Sun Pharma disclosed an IT security breach. Novartis was reportedly the victim of an extortion malware attack in 2022.