Computer Systems Fraud Rider Covers Hackers, Not Authorized Users’ Fraudulent Activity, Court Finds
December 31, 2012 |A New York court has ruled that a Computer Systems Fraud rider to a Financial Institution Bond did not cover alleged fraudulent activity by authorized users of the insured’s system.
The Case
Universal American Corp. offered a variety of insurance products to health care providers, including “Medicare Advantage Private Fee-For-Service” plans (“MA-PFFS”). The MA-PFFS plans allowed health care providers to submit claims for services provided to plan members, with many of the claims “auto-adjudicated” through Universal’s computer system and payments rendered without any manual review.
Universal claimed that, in late 2008, it suffered millions of dollars in losses from fraudulent claims made against its MA-PFFS plans. It asserted that most of these claims were submitted by providers directly into Universal’s computer system and processed through the system. According to Universal, in some cases, providers enrolled new members in the MA-PFFS plan with the person’s cooperation, in return for which the member received a kickback from the provider. In some cases, it alleged, a provider used a member’s personal information without that person’s knowledge.
Universal sought coverage for its losses under a Computer Systems Fraud rider to a Financial Institution Bond issued to it by National Union Fire Insurance Company of Pittsburgh, PA.
National Union disclaimed coverage, contending that the policy provided coverage against computer hackers – situations in which an unauthorized user accessed the system and caused money to be paid out. Universal disagreed, arguing that the policy covered the entry of fraudulent information even by an authorized user. Universal sued.
The Court’s Decision
The court found that the policy was “not ambiguous” and did “not extend as far as providing coverage for fraudulent claims which were entered into the system by authorized users.” Coverage, it ruled, was directed at misuse or manipulation of the system itself rather than at situations where the fraud arose from the content of the claim, and the system was otherwise properly utilized. The court concluded that nothing in the Computer Systems Fraud rider indicated that coverage was intended where an authorized user utilized the system as intended to submit claims where the claims themselves were fraudulent.
The case is Universal American Corp. v. National Union Fire Ins. Co. of Pittsburgh, PA, No. 650613/2010 (Sup. Ct. N.Y. Co. Jan. 7, 2013).
The Rivkin Rule
If the court had accepted the argument that the policy covered the entry of fraudulent information even by an authorized user, it would have expanded coverage to any fraudulent underlying claim that was entered into its computer system by any user. As the court found, that interpretation was not supported by the language of the Rider.
