Cybersecurity is all the rage and rightly so. Companies are being hacked and information is being compromised and stolen every day. Medicare fraud is also rampant, with phony claims and improper payments being made daily. In a case just handed down by the New York Court of Appeals these problems converged in the context of a coverage dispute over a financial institution bond issued to a health care company that offered Medicare Advantage plans.
In Universal Am. Corp. v. Nat’l Union Fire Ins. Co. of Pittsburgh, PA, No. 95, 2015 N.Y. LEXIS 1434 (N.Y. Ct. of App. Jun. 25, 2015), New York’s highest court affirmed the dismissal of a declaratory action brought by a health insurer against its bond insurer. The health insurer had purchased a financial institution bond. The bond, in a rider, addressed computer systems fraud and indicated that the bond would respond to computer systems fraud losses resulting directly from a fraudulent entry of electronic data or computer program into or a change of electronic data or computer program within the insured’s proprietary computer system.
Fidelity bonds are meant to be essentially first party insurance against dishonest and fraudulent acts perpetrated on the insured. Here, authorized users of the health insurer’s computer billing system submitted claims directly to the system that were for unprovided services. In other words, these were fraudulent claims for services that were never provided to policyholders, but for which health care providers were submitting claims for reimbursement under the Medicare Advantage plans.
The health insurer argued that the bond covered these wrongful acts as they took place through the health insurer’s computer system and the acts were fraudulent. The coverage question was whether the bond and its rider were meant to cover Medicare fraud.
All the courts that heard the claim held against the health insurer and in favor of no coverage. The Court of Appeals summed it all up. The court concluded that the reasonable expectations of an average insured upon reading the bond was that the rider applied to losses resulting directly from fraudulent access to the computer system and not to losses from the content submitted by authorized users. Essentially, the rider was meant to protect the insured from hackers and the like who enter the computer system illegally and fraudulently and cause damage from that fraudulent entry into the computer system. The rider did not apply to Medicare fraud; the entry of false data by authorized users of the system.
The court held that the rider was unambiguous and that it applied only to losses incurred from unauthorized access to the health insurer’s computer system. The court analyzed the language and held that the intentional word placement in the rider of “fraudulent” before “entry” and “change” manifested the parties’ intent to provide coverage for a violation of the integrity of the computer system through deceitful and dishonest access. Exclusions in the bond also bolstered the court’s analysis.
Insurance companies and insureds (including insurance company insureds) are struggling to determine the proper way to address cyber risks. Clearly a fidelity bond covering computer system fraud is one means of protection. But the nature of a bond is different from that of a cyber risk policy or other property policies covering computer fraud or computer losses. It’s the fraudulent entry into the computer system that is required for this bond at least and likely for many others drafted in a similar manner. Where authorized users are intent on committing fraud by submitting fraudulent claims or transactions, fidelity bonds likely will not provide protection. Is there an insurance product that would have protected the health care insurer here? With rampant Medicare fraud, this is another wake-up call to health insurers to avoid rubber stamping electronic claims submissions from providers without proper safeguards in place to weed out fraudulent claims.