NY Court Holds Coverage Under “Fraudulent Entry” Provision Requires 3rd Party Hacking

The Court of Appeals of New York, applying New York law, ruled that fraudulent entries by authorized users into an insured’s computer system did not constitute “fraudulent entry” under the unambiguous terms of a rider of a financial institution bond.

Universal American Corp. (“Universal”) is a health insurance company that offers health insurance to Medicare-eligible individuals. Universal is, in turn, reimbursed by the U.S. Dept. of Health and Human Services for health care provided to the plans’ members. Universal has a computerized billing system that allows health care providers to submit claims directly to the system. In 2008, Universal suffered over $18 million in losses for payment of fraudulent claims submitted to the system for services never actually performed.

Universal obtained coverage for losses from computer systems fraud from National Union Fire Insurance Company of Pittsburgh, PA (“National Union”). National Union denied Universal’s claim for the fraudulent claims. Universal then commenced an action against National Union. The trial court granted summary judgment in favor of National Union and dismissed the complaint, concluding that the National Union policy rider was unambiguous and the intended coverage was for an unauthorized entry into the computer system by a hacker or through a computer virus. The Appellate Division modified the summary judgment order to declare that the policy does not cover the loss, and otherwise affirmed.

The Court of Appeals of New York affirmed the Appellate Division’s ruling. The court found that the policy unambiguously applies to losses from unauthorized access to Universal’s computer system, and not to losses resulting from fraudulent content submitted by authorized users. The court rejected Universal’s interpretation that “fraudulent entry” means “fraudulent input.” The court reasoned that the placement of the word “fraudulent” before “entry” showed the parties’ intent to provide coverage for a violation of the integrity of the computer system through dishonest access. “The rider’s reference to ‘fraudulent’ does not also qualify what is actually acted upon, namely the ‘electronic data’ or ‘computer program’ itself.” The court also rejected the interpretation adopted in Owens, Shine & Nicola, P.C. v. Travelers Cas. & Sur. Co. of Am., 2010 WL 4226958 (Conn. Super. Ct. Sept. 20, 2010), finding that the case was distinguishable because the policy provision in that case was much broader.  Universal American Corp. v. Nat’l Union Fire Ins. Co. of Pittsburgh, PA, No. 650613/2010 (N.Y. June 25, 2015).


Leave a Reply