In a recent decision, New York's appellate court considered whether a "Computer Systems Fraud" insurance policy rider (Policy) covered losses that Universal American suffered as a result of fraudulent claims electronically submitted by providers. See Universal Am. Corp. v. National Union Fire Ins. Co. of Pittsburgh, PA, 2013 N.Y. App. Div. LEXIS 6278 (N.Y. 1st Dep't Oct. 1, 2013).
Universal claimed that it suffered approximately $18.3 million in losses from fraudulent claims made against some of its Medicare Part D plans. Most of these claims were submitted by providers directly into Universal's computer system and processed through the system. In some cases, "the perpetrators enrolled new members in the Medicare Advantage plan with the person's cooperation, in return for which the member received a kickback from the provider. In other cases, the provider used the member's personal information without that person's knowledge." The National Provider Identifiers (NPIs) used in some cases were for fictitious providers; in other cases, NPIs were taken fraudulently from legitimate providers. Many of the false claims were automatically adjudicated by Universal American's computer system with no manual review.
The Policy provided coverage for losses resulting directly from a fraudulent entry of electronic data or computer program into, or change of electronic data or computer program within, the insured's proprietary computer system, provided that the entry or change causes (1) property to be transferred, paid or delivered; (2) an account of the insured, or of its customer, to be added, deleted, debited or credited; or (3) an unauthorized account or a fictitious account to be debited or credited.
Universal American argued that the provision covers any fraudulent entry of data, even by an authorized user. National Union, the insurer, contended the Policy only covered acts by unauthorized persons, such as hackers. The appellate court found that the "unambiguous plain meaning" of the Policy, covered losses from a fraudulent "entry of electronic data" or "change of electronic data" within Universal American's proprietary computer system. The court interpreted this language to apply only to wrongful acts in manipulation of the computer system (i.e., by hackers), and that the Policy did not provide coverage for fraudulent data submitted by authorized users. Universal American had argued that the Policy was vague and therefore covered fraudulent entries by authorized users. While the New York case was decided against Universal American, that may not be the case in all states, as insurance contracts typically are construed in favor of the insured.
This case highlights why it is important to closely examine insurance policies, including the insuring agreements, definitions and exclusions. Computer crime insurance policies often may be vague and complicated and slight wording changes can make a significant difference to your right of recovery. Furthermore, the language used in computer crime policies, in many cases, has failed to keep pace with technological advances and often does not recognize the unique issues faced by healthcare providers. This leaves providers in the difficult position of having to determine the scope of necessary insurance protection and the protection policies provide.
Finally, this type of coverage, in addition to other insurance policies, should not be overlooked by providers when a data breach occurs, as coverage may be present for some or all of the losses incurred, depending upon the wording of the policy and facts surrounding the data breach.