
    [959 NYS2d 849]
    Universal American Corp., Plaintiff, v National Union Fire Insurance Company of Pittsburgh, PA, Defendant.
    Supreme Court, New York County,
    January 7, 2013
    APPEARANCES OF COUNSEL
    
      Schlam Stone & Dolan LLP, New York City (Richard H. Dolan and Bradley J. Nash of counsel), for plaintiff. Nixon Peabody LLP, New York City (Barbara Lukeman of counsel), for defendant.
   OPINION OF THE COURT

O. Peter Sherwood, J.

This is an insurance coverage action by plaintiff Universal American Corp. (Universal) in connection with a “Computer Systems Fraud” insurance policy issued to plaintiff by defendant National Union Fire Insurance Company of Pittsburgh, PA (National Union). Universal moves, pursuant to CPLR 3212, for an order granting partial summary judgment and declaring that certain losses that Universal suffered from the entry of electronic data into its computer system are covered by the policy. National Union cross-moves for an order granting summary judgment dismissing the complaint. For the reasons stated below, the motion is denied, the cross motion is granted and the complaint is dismissed.

Factual Background

According to the complaint, Universal is a health insurance company which provides Medicare managed-care plans, Medicare prescription drug benefits and other insurance products. Universal’s offerings include “Medicare Advantage Private Fee-For-Service” plans (MA-PFFS), which are government-regulated alternatives to Medicare. Essentially, members enroll in health care plans offered by private insurers, which plans receive reimbursement payments from the Centers for Medicare and Medicaid Services (CMS), an agency of the U.S. Department of Health and Human Services. The plans also receive payments from plan members themselves. Under such plans, health care providers submit claims for services provided to plan members, similar to traditional health insurance policies. In Universal’s case, many of the claims are “auto-adjudicated” through Universal’s computer system, with payments rendered without any manual review.

Rider No. 3 to a financial institution bond issued to Universal by National Union on July 29, 2008, provided insurance coverage to Universal against a variety of losses. The rider is titled “Computer Systems Fraud” and provides indemnification for:

“Loss resulting directly from a fraudulent “(1) entry of Electronic Data or Computer Program into, or
“(2) change of Electronic Data or Computer Program within the Insured’s proprietary Computer System . . . provided that the entry or change causes
“(a) Property to be transferred, paid or delivered,
“(b) an account of the Insured, or of its customer, to be added, deleted, debited or credited, or “(c) an unauthorized account or a fictitious account to be debited or credited.”

The term “Computer Program” was defined as “related electronic instructions which direct the operations and functions of a computer . . . which enable the computer ... to receive, process, store or send Electronic Data.” The term “Electronic Data” was defined as “facts or information converted to a form usable in a Computer System by Computer Programs, and which is stored on magnetic tapes or disks, or optical storage disks or other bulk media.”

The rider has a policy limit of $10 million with a $250,000 deductible for each “single loss.” The rider provided that a series of losses arising from the fraudulent acts of one individual, or of several unidentified individuals using the same method of operation, would constitute a single loss under the policy.

Universal states that, in late 2008, it suffered approximately $18,321,296 in losses from fraudulent claims made against its MA-PFFS plans. Most of these claims were submitted, by providers, directly into Universal’s computer system and processed through the system. In some cases, the perpetrators enrolled new members in the MA-PFFS plan with the person’s cooperation, in return for which the member received a kickback from the provider. In some cases, the provider used the member’s personal information without that person’s knowledge. In either event, the provider itself did not enroll in the plan. Instead, they were able to submit claims after obtaining a National Provider Identifier (NPI) from CMS. In some cases, the NPI was obtained for a fictitious provider, in other cases it was fraudulently taken from a legitimate provider.

Universal states that approximately 80% of the losses at issue resulted from claims submitted to its computer system. In February of 2009, it submitted a proof of loss to National Union. That claim was eventually denied. In June of 2010, Universal commenced this action, asserting claims for breach of contract and for a declaratory judgment stating that its losses are covered by the policy and are not subject to any exclusions. Plaintiff alleges losses of $7,764,211, after the application of the deductible.

Discussion

A party moving for summary judgment is required to make a prima facie showing that it is entitled to judgment as a matter of law, by providing sufficient evidence to eliminate any material issues of fact from the case (see Winegrad v New York Univ. Med. Ctr., 64 NY2d 851 [1985]; Grob v Kings Realty Assoc., 4 AD3d 394 [2d Dept 2004]). The party opposing must then demonstrate the existence of a factual issue requiring a trial of the action (see Zuckerman v City of New York, 49 NY2d 557, 562 [1980]).

The central issue here is the meaning of the clause which states that Universal shall be indemnified for “[l]oss resulting directly from a fraudulent . . . entry of Electronic Data . . . into [Universal’s] proprietary Computer System.” Universal contends that this clause covers the entry of fraudulent information, e.g. fraudulent claims, even by an authorized user such as a provider with a valid NPI. National Union argues that this clause in rider No. 3 does not cover such data. Instead, it argues that the policy provides coverage against computer hackers, i.e., situations in which an unauthorized user accessed the system and caused money to be paid out. In reply, Universal argues that, if the clause is ambiguous, then the court must construe it against National Union as the drafter, and determine that there is coverage (see Gould Invs., L.P. v Travelers Cas. & Sur. Co. of Am., 83 AD3d 660, 661 [2d Dept 2011]).

Interpretation of the provisions of contracts, including insurance policies, is a matter of law for the court, including interpreting whether a given term is ambiguous (see Ashwood Capital, Inc. v OTG Mgt., Inc., 99 AD3d 1, 7-8 [1st Dept 2012]; Seaport Park Condominium v Greater N.Y. Mut. Ins. Co., 39 AD3d 51, 54 [1st Dept 2007]). “[T]he terms of an insurance contract are not ambiguous merely because the parties interpret them differently” (Board of Mgrs. of Yardarm Condominium II v Federal Ins. Co., 247 AD2d 499, 500 [2d Dept 1998], citing Mount Vernon Fire Ins. Co. v Creative Hous., 88 NY2d 347, 352 [1996]). “In determining whether a policy provision is ambiguous, the focus is on the reasonable expectations of the average insured upon reading the policy” (Villanueva v Preferred Mut. Ins. Co., 48 AD3d 1015, 1016 [3d Dept 2008] [citations and internal quotation marks omitted]).

The parties have not cited to any New York cases interpreting the clause at issue here, i.e., “loss resulting directly from a fraudulent . . . entry of electronic data” into Universal’s computer system. In support of its motion, plaintiff relies on the decision in Owens, Schine & Nicola, P.C. v Travelers Cas. and Sur. Co. of Am. (2010 WL 4226958, 2010 Conn Super LEXIS 2386 [2010]). In that case, the policy covered loss resulting from “computer fraud,” which included “the use of any computer to fraudulently cause a transfer” of property (see 2010 WL 4226958, *6, 2010 Conn Super LEXIS 2386, *15). The means by which a fraudulent transfer could be initiated included written, telephonic, telegraphic, fax, electronic, cable, or teletype instructions. The court found that the policy was ambiguous as to how much computer use was required, and, as such, the policy was not restricted to incidents of computer hacking (see 2010 WL 4226958, *7, 2010 Conn Super LEXIS 2386, *19).

The Owens decision is not directly analogous. Among other things, the policy did not use the specific term, “fraudulent entry of electronic data,” that is used here. Moreover, the computer fraud clause at issue there was much broader than the clause here in that it did not define how much computer use was required or in what manner the computer had to be used.

In support of the cross motion, National Union relies on Morgan Stanley Dean Witter v Chubb Group of Ins. Cos. (2004 WL 5352285 [NJ Super Ct, Law Div, Union County, Feb. 17, 2004, No. UNN-L-2928-01], affd in part, revd in part, 2005 WL 3242234, 2005 NJ Super Unpub LEXIS 798 [App Div, Dec. 2, 2005] [No. A-4124-03T2]). In that case, the insurer agreed to indemnify the insured for losses arising from the fraudulent input of electronic data into a customer communication system. The customers were provided with software which enabled them to submit instructions regarding their accounts directly into the insured’s computer system. The policy contained an exclusion for losses resulting from the input of electronic data at an authorized terminal by a customer or other authorized person. The exclusion was not limited to fraud, but applied to any authorized input of data.

The lower court found that there was no coverage in that action based on the exclusion, because it barred coverage anytime a customer or authorized person input electronic data via a customer communication system. The court stated that “[s]hould someone other than a customer or authorized representative, like an imposter or hacker, input data into the Customer Communication System, it would constitute fraud and coverage is provided” (id. at 11). The court also stated that “the overall thrust of the policy [was] to insure against computer hackers or imposters.” (Id. at 10.) This determination was affirmed on appeal (see Morgan Stanley Dean Witter & Co., 2005 WL 3242234, *3, 2005 NJ Super Unpub LEXIS 798, *7).

The decisions in Morgan Stanley are instructive in that each court found that coverage was limited to situations in which the data was input by an unauthorized user. There was no coverage where the user was authorized to input the data.

The clause at issue in this case is not ambiguous. The policy does not extend as far as providing coverage for fraudulent claims which were entered into the system by authorized users.

The rider has two headings, “Computer Systems” and “Computer Systems Fraud.” It has no headings which refer to the content of medical claims submitted to the system. Thus, the headings indicate that the coverage is directed at misuse or manipulation of the system itself rather than at situations where the fraud arose from the content of the claim, and the system was otherwise properly utilized, e.g. a fraudulent claim submitted by an authorized user. Further, the rider states that it covers “fraudulent entry” of data or computer programs into Universal’s computer system which resulted in a loss. This indicates that coverage is for an unauthorized entry into the system, i.e., by an unauthorized user, such as a hacker, or for unauthorized data, e.g. a computer virus. Nothing in this clause indicates that coverage was intended where an authorized user utilized the system as intended, i.e., to submit claims, but where the claims themselves were fraudulent.

Plaintiffs interpretation of the policy would expand coverage to any fraudulent underlying claim that was entered into its computer system by any user, even by an authorized user. This interpretation is not supported by the language of the rider.

Accordingly, it is ordered that the motion for summary judgment by plaintiff, Universal American Corp., is denied; and it is further ordered that the cross motion by defendant, National Union Fire Insurance Company of Pittsburgh, PA, for summary judgment is granted and the complaint is dismissed with costs and disbursements to defendant as taxed by the clerk upon the submission of an appropriate bill of costs.  