Computer fraud, especially that targets banks, health care institutions and repositories of confidential and proprietary information, is a systemic problem. In the classic example, a company's comptroller or payroll supervisor (i.e., someone with access to company funds or accounts) opens an e-mail sent to them by an outside computer hacker. The e-mail contains a virus designed to acquire the user ID and password to the company's bank account. Minutes later, a fraudulent electronic wire transfer to an unknown bank in the amount of $100,000 is initiated by the same hackers. The funds are withdrawn well before the company realizes it has been hacked.
It is not uncommon for sophisticated businesses, especially those in the banking and healthcare sectors, to purchase insurance coverage to protect against losses resulting from computer theft and abuse. Depending on how the policy is structured, it may provide coverage against various losses stemming from "phishing" scams and malicious software applications designed to circumvent online authentication controls.
On October 1, 2013, the Appellate Division, First Department held that a "Computer Systems Fraud" insurance policy provided coverage against unauthorized users hacking into the system, but not for fraud perpetrated by authorized users of the system. Universal American Corp. v. National Union Fire Insurance Company of Pittsburgh, App. Div. LEXIS 6278 (1st Dep't 2013).
Universal is an insurance company specializing in managed-care plans. In this case, the company offered a Medicare Advantage Private Fee-For-Service plan (MA-PFFS) to individuals as a government-regulated alternative to Medicare. As with traditional health plans, providers would submit claims for services rendered to MA-PFFS plan participants. The majority of claims, however, were "auto-adjudicated," meaning claims were made and paid without any manual review or due diligence.
This allowed authorized users to take advantage of the system, resulting in alleged losses of $18,321,296 to Universal. In some cases, new members were enrolled in the plan with the person's cooperation, for which they would receive a kickback from the provider. In other cases, the provider would simply use the person's confidential information to enroll them in the plan without their knowledge. The providers, however, did not enroll in the plan. Rather, they were able to submit claims once they obtained a National Provider Identifier (NPI) from the Centers for Medicare and Medicaid Services (CMS). The NPI was either obtained for a fictitious provider, or was fraudulently taken from a legitimate one.
In February 2009, after discovering the fraud, Universal submitted a proof of loss to its insurer, National Union, in the sum of $7,764,211. That claim was eventually denied. Universal commenced an action against National Union for breach of contract and for a declaratory judgment that its claims were covered by the policy and not subject to any exclusions.
Specifically, Universal's policy provided coverage for: "Loss resulting directly from a fraudulent (1) entry of Electronic Data or Computer Program into, or (2) change of Electronic Data or Computer Program within the Insured's proprietary Computer System"¦" Universal argued that this clause covered the entry of fraudulent information (in this case claims), even by an authorized user such as a provider with a valid NPI. National Union asserted that the policy provided coverage against computer hacking, such as that perpetrated by unauthorized users in the above example.
Because of the absence of any New York case law directly on point, the lower court considered similar cases from Connecticut and New Jersey. The lower court found a Connecticut case cited by Universal unavailing, as "the policy did not use the specific term, 'fraudulent entry of electronic data,' that is used here." Instead, the lower court relied on a New Jersey case cited by National Union, where "the insurer agreed to indemnify the insured for losses arising from the fraudulent input of Electronic Data into a customer communication system." The lower court found the New Jersey case instructive insofar as "coverage was limited to situations in which the data was input by an unauthorized user." However, there was no coverage where the user was authorized to input the data.
The lower court also rejected Universal's contention that the clause was ambiguous, noting that the policy "has two headings, 'Computer Systems' and 'Computer Systems Fraud,'" neither of "which refer to the content of medical claims submitted to the system." As the court explained, the headings establish that coverage is limited to "misuse or manipulation of the system itself rather than in situations where the fraud arose from the content of the claim, and the system was otherwise properly utilized, e.g., a fraudulent claim submitted by an authorized user."
On appeal, the Appellate Division, First Department, affirmed the lower court's interpretation, holding that the policy "was intended to apply to wrongful acts in manipulation of the computer system, i.e., by hackers, and did not provide coverage for fraudulent content consisting of claims by bona fide doctors and other health care providers authorized to use the system for reimbursement for health care services that were not provided."
This decision concerns a significant coverage issue for those businesses that have purchased a computer fraud policy. Here, the defining characteristic is the term "computer." The authorized users in this case did not game the system by manipulating Universal's electronic data. Rather, they manipulated the system itself, i.e., by submitting false claims. Universal's computer system worked as it was intended to, and thus, coverage was not available to cover its $7 million in losses.
If you require further information regarding the information presented in this Legal Alert and its impact on your organization, please contact John R. Casey at (518) 429-4277 or jcasey@hblaw.com.