The New York Court of Appeals recently held that an insurance policy providing coverage for computer fraud covered losses resulting from unauthorized users hacking into the insured's computer system, but not from fraud perpetrated by authorized health care provider users. Universal Am. Corp. v. National Union Fire Ins. Co. of Pittsburgh, PA, 2015 N.Y. Slip. Op. 05516 (June 25, 2015).
With data hacking and cyber liability becoming more common, many businesses have procured additional insurance to protect against these risks. In this case Universal American Corp., a health insurance company, sustained a loss of approximately $18 million, which allegedly resulted from fraudulent claims being submitted by health care providers.
Specifically, Universal offered "Medicare Advantage Private Fee-For-Service" plans, which are government-regulated alternatives to Medicare whereby members enroll in health care plans offered by private insurers (such as Universal) and receive reimbursement payments from the Centers for Medicare and Medicaid Services (CMS). Under such plans, health care providers submit claims for services provided to plan members, similar to traditional health insurance policies. Universal permitted many of the claims to be submitted and processed through its computer system, with payments rendered without any manual review.
In late 2008, Universal suffered approximately $18 million in losses from fraudulent claims made against its Medicare Advantage plans (i.e., claims for services that were never rendered), most of which were submitted by authorized providers directly into Universal's computer system. Universal submitted a claim under its insurance policy with National Union Fire Insurance Company of Pittsburgh, PA, which provided $10 million in coverage for "loss resulting directly from a fraudulent . . . entry of Electronic Data" into Universal's computer system. National Union denied coverage on the basis that the policy only covered access to the computer system by unauthorized users, such as hackers. Universal of course disagreed with this interpretation of the policy and responded that even if the language was ambiguous on this point, it should be construed in favor of coverage.
After a lawsuit was commenced, and both parties moved for summary judgment, the trial court held the policy was unambiguous and did not extend coverage to fraudulent claims entered by authorized users of the computer system. On appeal, the Appellate Division, First Department agreed with the trial court's reasoning that the coverage for fraud "was intended to apply to wrongful acts in manipulation of the computer system, i.e., by hackers, and did not provide coverage for fraudulent content consisting of claims by bona fide doctors and other health care providers authorized to use the system for reimbursement for health care services that were not provided." The Appellate Division thus declared that the policy did not provide coverage for the claimed loss.
The Court of Appeals granted Universal's application for a second appeal and then affirmed the Appellate Division's decision. The high Court concluded that the policy "unambiguously applies to losses incurred from unauthorized access to Universal's computer system, and not to losses resulting from fraudulent content submitted to the computer system by authorized users." (emphasis added). The Court further reasoned that although the term "fraudulent" was not defined in the policy, its dictionary definition refers to "deceit and dishonesty." Thus, the Policy covered losses resulting from a dishonest entry or change of electronic data or computer program, such as "hacking" of the computer system, but not losses resulting from the data itself, which was undisputedly fraudulent but was entered by authorized users.
The Court of Appeals' ruling means that Universal's sole remedy is to pursue the perpetrators who committed the fraud, which may not be fruitful. The decision is another example of the trend toward securing coverage for the risk of electronic data losses and is a reminder that such coverage provisions must be drafted carefully and with the scope and nature of the insured's business in mind.