A New York appeals court held October 1 that a computer fraud insurance policy covered losses resulting from unauthorized users hacking into the system, not fraud perpetrated by authorized health care provider users on a Medicare managed care plan.

The decision affirmed a January 7 ruling by a New York trial court, which granted summary judgment to the defendant National Union Fire Company of Pittsburgh, PA in an action brought by plaintiff Universal American Corp., a health insurance company that provides Medicare managed care plans and other insurance products.

Universal contended a “computer systems fraud” rider National issued in 2008 covered a portion of the $18 million in losses that resulted from fraudulent claims submitted by health care providers to one of the company’s Medicare Advantage plans that were processed and paid through its computer system.

The rider provided up to $10 million in coverage for “loss resulting directly from a fraudulent . . . entry of Electronic Data” into Universal’s computer system. National argued the policy only covered access to the computer system by unauthorized users, i.e., hackers. Universal said even if the language was ambiguous on this point, it should be construed in favor of coverage.

In January, the New York Supreme Court held the policy was unambiguous and did not extend coverage to fraudulent claims entered by authorized users of the computer system. Universal Am. Corp. v. National Union Fire Ins. Co. of Pittsburgh, PA, 969 N.Y.S.2d 849 (2013). According to the court, coverage under the rider clearly was directed at misuse or manipulation of the computer system, not fraudulent medical claims submitted by authorized users. The court said nothing in the policy suggested coverage extended to instances where an authorized user—a health care provider submitting claims—used the computer system as intended, even if the claims themselves were fraudulent.

The New York Supreme Court, Appellate Division, agreed with the trial court, upholding its interpretation of the policy as a matter of law. The fraud rider “was intended to apply to wrongful acts in manipulation of the computer system, i.e., by hackers, and did not provide coverage for fraudulent content consisting of claims by bona fide doctors and other health care providers authorized to use the system for reimbursement for health care services that were not provided,” the appeals court said.

Universal Am. Corp. v. National Union Fire Ins. Co. of Pittsburgh, PA, No. 2013 N.Y. Slip Op. 06321 (N.Y. App. Div. Oct. 1, 2013).