In Universal American Corp. v. National Fire Insurance Co. of Pittsburgh, the New York Court of Appeals dealt with whether a cyber liability policy provide coverage for losses sustained as a result of submission and payment of fraudulent medical provider claims.  Plaintiff Universal American Corp. is a health insurance company that offers federal government-regulated alternatives to Medicare.  Universal sustained over $18 million dollars in losses when it paid fraudulent medical claims for services that were never actually rendered.  Universal’s computerized billing system allowed health care providers to access and submit fraudulent claims directly to Universal and obtain payment.  Interestingly, the great majority of claims were processed and paid automatically without manual review.

Universal sought coverage for the damages sustained pursuant to a rider of a financial institution bond issued by defendant National Union Fire Insurance Company.  The rider, entitled “Computer Systems” and “Computer System Fraud,” provided indemnification for “losses resulting directly from a fraudulent entry of Electronic Data or Computer Program into, or change of Electronic Data or Computer Program, within the Insured’s proprietary Computer System.”  The New York Court of Appeals held that the language of the rider unambiguously applies to losses incurred from unauthorized access to the computer system — e.g., computer hacking or data breach by a third-party — and not to losses resulting from fraudulent claims submitted by authorized users.

The Court’s ruling reiterated the fact that simply because a claim arises out of the improper use of a computer does not mean the insured’s cyber liability policy will provide coverage particularly where, as here, the culprit was authorized to access the computer system.

Thanks to Brett Kuller for his contribution to this post and please write to Mike Bono for more information.