A practice is suing its insurance broker for $1 million-plus, alleging the firm allowed its cyber liability insurance to lapse around the same day that it suffered a ransomware attack.

Raleigh Radiology claims it completed the necessary forms and submitted them to Arthur J. Gallagher & Co. on time via email to renew its policies. But the global insurance brokerage allegedly never responded to its messages and let its policies lapse, according to an amended complaint filed on Thursday, May 4.

The $5 million-plus cyber policy expired at 12:01 a.m. on Feb. 15, 2022, the North Carolina practice noted. But Raleigh Radiology suffered a ransomware attack sometime on the 14th, with leaders shocked to find in the following days the they had no insurance when trying to tap the policy.

“Rather than having coverage under the insurance that AJG represented that it would procure for Raleigh Radiology, Raleigh Radiology was left almost completely on its own to respond to the cyber incident,” attorneys wrote in the complaint, filed in a North Carolina district court.

The unknown and unauthorized threat infiltrated the practice’s systems around Feb. 14, 2022, and between then and Feb. 17, deployed various tools to gain further control. On that day, hackers deployed ransomware, “encrypting critical files and leaving ransom messages demanding payment,” according to the complaint. Former practice COO Joanne Watson—no longer with the company, according to LinkedIn—phoned AJG shortly after to access the cyber policy.

“Ms. Watson reached out to AJG’s representatives thinking that Raleigh Radiology could access an equivalent to the $5 million cyber liability insurance that had been in force the year prior …” the complaint alleges. “This conversation was the first time that anyone from Raleigh Radiology was informed that its coverage may have lapsed.”

Its response included identifying and containing the attack, conducting a forensic analysis, establishing interim operations to continue functioning during remediation, restoring former backup systems, and testing if these measures worked. All of this work cost a total of more than $330,000, attorneys estimate.

“Raleigh Radiology also had to retain legal advisors to evaluate and provide counsel regarding its obligations,” the practice said. “Fortunately, the professionals that Raleigh Radiology retained saw no evidence that data was exfiltrated from the compromised systems or that cybercriminals sought to exploit the data beyond encrypting it in place.”

Raleigh Radiology estimated that it lost $685,000 in new revenue from the reduction in patients and procedures because of the ransomware attack. It also incurred another $5,000 in expenses to replace certain computer equipment as part of the remediation. The practice is demanding a trial by jury and also seeking interest on all damages, attorney’s fees, and “further relief as the court shall deem just and proper.”

The “first practice” in North Carolina’s Wake County, Raleigh Radiology started with a single physician in 1950 at Rex Hospital in its namesake city. Today, the group employs more than 40 providers across seven imaging centers located throughout the Research Triangle that includes Durham and Chapel Hill.

AJG, or Gallagher, as it’s commonly referred to, is a massive insurance brokerage, risk management, and human resources and benefits consulting firm with primary offices in Rolling Meadows, Illinois. The company has 39,000 employees and reported net earnings of more than $1 billion in 2022, on revenues before reimbursements of $8.4 billion.

Law360 first reported news of the lawsuit on May 4, with representatives from Gallagher declining to comment to the news outlet.