More than a year has passed since U.S. Attorney General Merrick B. Garland established the COVID-19 Fraud Enforcement Task Force to utilize the resources of the U.S. Department of Justice (DOJ) and partner with various governmental agencies to combat COVID-19-related fraud. Since that time, the DOJ has touted its enforcement efforts in both the civil and criminal arenas, having criminally charged 1500 people (with 450 people convicted thus far) and opening civil investigations into more than 1800 individuals and entities. Additionally, the DOJ has seized $1.2 billion in relief funds.

In many cases, these DOJ investigations and prosecutions are not limited to the misuse of Paycheck Protection Program (PPP) loans and PPP loan fraud schemes but are also aimed at deterring and holding individuals accountable for healthcare-related COVID-19 fraud more generally. By all indications, recent enforcement actions indicate no slowdown in sight.

For example, on August 29, 2022, in the Middle District of Florida, a convicted felon pled guilty to a host of charges, including wire fraud and bank fraud, for his involvement in a $2.6 million COVID-related fraud scheme. The convicted felon had submitted false and fraudulent applications for various loans, including one for a PPP loan. The loan applications he submitted not only included numerous false representations related to his criminal history and number of employees, but also allegedly presented a fake commercial lease to obtain the loan. Moreover, he used the personally identifiable information, such as name, date of birth, driver license information and Social Security numbers, of people purported to work for him to submit fraudulent payroll and tax documents. The convicted felon’s fraudulent scheme led the private lender and Small Business Administration (SBA) to approve the loan and resulted in the deposit of approximately $2,617,447, which was then used to purchase residences, a boat, an engagement ring, stocks, and ammunition, all of which has now been forfeited to the federal government.

With regard to recent civil enforcement actions, the DOJ has been consistently alleging PPP fraud under the False Claims Act (FCA). In both civil and criminal enforcement actions, the main target has usually been borrowers engaged in PPP loan fraud. However, in a recent case out of Texas, the DOJ targeted the lender. In that case, a regional bank approved and processed a PPP loan despite the bank’s employees’ knowledge of a PPP loan applicant’s ineligibility to apply for the same. The bank agreed to pay $18,673.50 to “resolve allegations it improperly processed a PPP loan on behalf of an ineligible customer,” thereby making this the first FCA settlement with a PPP lender. This case demonstrates that witting or unwitting borrowers of PPP loans are not the only focus of the federal government – lenders and the extent of their knowledge as to the truth or falsity of these PPP applications are potential targets as well.

Most recently, on September 14, 2022, the DOJ announced the formation of three Strike Force teams to further bolster the DOJ’s ongoing efforts to address COVID-19 related fraud. As a show of force and coordinated effort, the Strike Force is comprised of several agencies, including the FBI, the Department of Labor Office of Inspector General, the Small Business Administration Office of Inspector General, the Department of Homeland Security Office of Inspector General, and Internal Revenue Service Criminal Investigations, thereby bringing combined fraud, cybercrime, and money laundering expertise to bear in enforcement efforts. The Strike Force teams will primarily operate in large cities including Los Angeles, Sacramento, Miami, and Baltimore. Attorney General Garland explained that the Strike Force Teams will “build on the Department’s historic enforcement efforts to deter, detect, and disrupt pandemic fraud wherever it occurs.”

As we have cautioned previously, it may become challenging for the government to discern between borrowers that intended and affirmatively acted to commit fraud and those that were well-intentioned but nonetheless failed to comply with this fast-tracked federal relief program. As a result, many unwitting borrowers or participants – and now even knowledgeable lenders – may find themselves caught in the DOJ’s fishnet of fraud charges with potentially severe consequences. It remains critical for business owners who loaned or received PPP funds to immediately review their compliance, mitigate any non-compliance, and address corrective measures and exposure to enforcement with the appropriate government agency.

Moreover, healthcare providers, owners and executives of medical businesses, physicians, and healthcare marketers and manufacturers should carefully track their billing practices, review their internal policies and procedures, train and audit staff, and institute safeguards, if necessary, to ensure COVID-19 relief funds are not being intentionally or negligently misused.

As we reported back in July on this blog, the U.S. Supreme Court earlier this year held that the federal government improperly lowered drug reimbursement payments to certain 340B hospitals that serve low-income communities. Following that decision, the case was remanded back to the lower courts for further proceedings consistent with the Court’s ruling.

On September 28, 2022, the United States District Court for the District of Columbia entered a written decision and order in favor of the hospitals and healthcare organizations who brought the lawsuit. Specifically, they sought a vacatur of the unlawful 340B reimbursement rate for the remainder of 2022 and an injunction to ensure the enforcement of the relief sought.

The Honorable Rudolph Contreras, U.S.D.J. held that the government had no basis upon which to argue that the unlawful 340B drug reimbursement rate should remain in effect for the remainder of 2022. While Judge Contreras held that an injunction was unnecessary, the plaintiffs were successful in obtaining the relief sought with the Court ordering that the unlawful rate be vacated for the remainder of 2022.

Accordingly, for the remainder of 2022, the U.S. Department of Health and Human Services (HHS) will be required to pay full rates of reimbursement to participants in the program. While it remains to be seen exactly how HHS will address the retroactive shortfall in reimbursement and correct the rates for 2023 and beyond, this ruling marks a significant victory for 340B hospitals.

 

For nearly 40 years, federal courts have routinely upheld agency action under the principle of judicial deference established in the seminal case of Chevron U.S.A. v. Natural Resources Defense Council, Inc., which requires courts to uphold an agency’s interpretation of the statute it administers if the statutory language is ambiguous, and the agency’s interpretation is reasonable. Critics have argued that federal judges have been too quick to find an ambiguity in the face of complex and often dense statutory language and rush to defer to an agency’s interpretation, secure in the knowledge that Chevron deference will provide cover for their rulings.

However, this past June the U.S. Supreme Court issued two decisions addressing the outer limits of agency power in American Hospital Association v. Becerra and West Virginia v. Environmental Protection Agency, signaling renewed judicial oversight over agency action.

In AHA v. Becerra, the Court admonished the Department of Health and Human Services (HHS) for improperly lowering drug reimbursement payments to hospitals that serve low-income communities under a program called “340B,” finding that the Medicare statute explicitly and solely permits HHS to set the reimbursement rate for hospitals for certain outpatient prescription drugs that the hospitals provide to Medicare patients using only one of two methods:

  • If HHS conducted a survey of hospitals’ acquisition costs for prescription drugs, then HHS may set the reimbursement at the average of the hospitals’ acquisition costs.
  • If HHS did not conduct a survey, then HHS is required to set reimbursement rates at the average sales price charged by manufacturers for the drugs, i.e., 106% of the drug’s average sales price, and is prohibited from varying reimbursement rates for different groups of hospitals.

Without conducting a survey, in 2018 and 2019, HHS established two separate reimbursement rates, substantially reducing the reimbursement rates for 340B hospitals to 77.5 % of the average sales price for each drug while at the same time maintaining the historical rate of 106% of the average sales price for non-340B hospitals. This resulted in a reduction in the reimbursement rates for 340B hospitals of about $1.6 billion annually. However, the Court held in AHA v. Becerra that because HHS did not conduct a survey of hospitals’ acquisition costs (as required by the express language of the Medicare statute), it acted unlawfully by reducing the reimbursement rates for 340B hospitals.

Further, in West Virginia v. EPA, the Court determined that a Congressional statute, authorizing the EPA to establish emissions caps at a level reflecting “the application of the best system of emission reduction . . . adequately demonstrated,” did not empower EPA to devise carbon emissions caps based on a generation-shifting approach, i.e., by restructuring the nation’s overall mix of electricity generation, to transition from 38% to 27% coal by 2030. By taking this generation-shifting approach, EPA broke from its 50-year history of setting performance standards under the Clean Air Act based on measures that would reduce pollution by causing plants to operate more cleanly.

Applying what is known as the “major questions doctrine,” the Court held that EPA did not have the authority under the language of the Clean Air Act to promulgate regulations that would essentially reconfigure electric energy production nationwide from coal-generated power plants to solar, wind and gas powered plants. Rather, the Court noted, such a dramatic shift in policy is a matter for Congress.

Both decisions are notable particularly because they ignore Chevron and find instead that agency authority is limited by the language and scope of the agency enabling statutes. In AHA v. Becerra, the agency’s power was clearly defined in the Medicare statute and in West Virginia v. EPA, the scope of the extraordinary power claimed by EPA for itself was not granted by Congress in any textual provision of the Clean Air Act. The upshot of these decisions is that federal agencies must be circumspect about relying on innocuous statutory language or general “catch all” provisions to justify their actions where such language or provisions do not (and were never intended to) authorize agency action.

Hospitals should vigilantly monitor HHS’s regulatory actions which adversely affect Medicare reimbursement to ensure that such actions are supported by clear Congressional authority rather than simply by an exploitive interpretation which aggrandizes HHS’s own power.

Noncompete agreements and restrictive covenants have increasingly become the subject of scrutiny, and within the healthcare sector the use of these agreements remains both highly controversial and highly litigated. Greenbaum attorneys Jessica M. Carroll and John Zen Jackson analyze these issues, including related activity on the legislative front and the potential impact of federal antitrust law, in the article “Physician Noncompetes May Get Federal Antitrust Treatment,” published by Law360 on September 20, 2022.  Read their analysis here.

On the heels of the Dobbs decision overruling Roe v. Wade, President Joe Biden directed the Secretary of Health and Human Services (HHS) to provide guidance under the Health Insurance Portability and Accountability Act (HIPAA) and other statutes to protect reproductive rights and abortion access by strengthening “the protection of sensitive information related to reproductive healthcare services” and bolstering patient-provider confidentiality under the HIPAA Privacy Rule. The Privacy Rule prohibits the use or the disclosure of an individual’s Protected Health Information (PHI) without the individual’s consent unless expressly permitted or required by the Privacy Rule.

On June 28, 2022, HHS Secretary Xavier Becerra announced a number of steps that included ensuring patient privacy for individuals seeking reproductive health care. The Office of Civil Rights (OCR) within HHS responded with guidance addressing several scenarios that included HIPAA’s exception for disclosure when “required by law.” In relevant part, OCR explained:

The Privacy Rule permits but does not require covered entities to disclose PHI about an individual, without the individual’s authorization, when such disclosure is required by another law and the disclosure complies with the requirements of the other law. This permission to disclose PHI as “required by law” is limited to “a mandate contained in law that compels an entity to make a use or disclosure of PHI and that is enforceable in a court of law.” Further, where a disclosure is required by law, the disclosure is limited to the relevant requirements of such law. Disclosures of PHI that do not meet the “required by law” definition in the HIPAA Rules, or that exceed what is required by such law, do not qualify as permissible disclosures. [Emphasis in original.]

Implicit in the guidance is that the HIPAA Privacy Rule does not prevent compelled disclosure when required by state law. The Ohio Supreme Court recognized this proposition in State ex rel. Cincinnati Enquirer v. Daniels, where it reviewed the Cincinnati Health Department’s denial of a request for records listing property owners who received notices of contamination based on blood tests received by the Department showing elevated lead levels. The Court disagreed with the Department’s refusal to produce the information based on the HIPAA Privacy Rule because the records contained PHI. Furthermore, the Court stated that “even if the records did contain protected health information, they would still be subject to release in accordance with the ‘required by law’ exception to HIPAA.” Thus, while the guidance by the federal government under HIPAA provides some additional assurances for providers and patients, it cannot ensure that PHI related to reproductive health services will not be disclosed.

Thus far, none of the states that have banned abortion in the aftermath of Dobbs have criminalized the conduct of the woman seeking the abortion. However, if  abortion were to be criminalized, an example of a disclosure that might not meet the “required by law” standard would be an emergency room staff reporting a woman presenting for care related to a miscarriage following an attempted self-induced abortion where no statute existed requiring that a report be made. Such an instance occurred in Texas and resulted in a grand jury charging a woman with murder under its “heartbeat law.” The charges, however, were eventually dropped as the Texas law explicitly exempts pregnant women who get an abortion from criminal consequences.

The enactment of “fetal personhood” abortion laws, such as that in Georgia, present a further risk that women who undergo an abortion will be prosecuted for child abuse or feticide. This places physicians in a difficult position as physicians are mandated to report child abuse in all states.

A recent article entitled “Supporting, Not Reporting – Emergency Department Ethics in a Post-Roe Era” in the September 8, 2022, issue of the New England Journal of Medicine analyzes this tension between the physician’s duty of care and confidentiality against his/her obligation to comply with legal requirements. The article’s authors reject the applicability of the mandatory child abuse paradigm in connection with a woman having undergone an abortion and find support in a footnote to the OCR guidance indicating that HIPAA exceptions regarding “reports of child abuse or neglect would not apply to disclosures of PHI relating to reproductive health care.” They further contend that “[t]he justification for breaching confidentiality to report child abuse is not punishment but prevention of harm, which doesn’t apply in abortion cases.” More specifically, they urge Emergency Department staff to be guided by ethical principles that would preclude any disclosure:

[T]he American College of Emergency Physicians’ code of ethics, which states, “Personal information may only be disclosed when such disclosure is necessary to carry out a stronger conflicting duty, such as a duty to protect an identifiable third party from serious harm or to comply with a just law.”

Mandatory reporting laws are ethically justified under the principle of non-maleficence because they prevent harm to a patient or other individuals, or under the principle of beneficence because they directly benefit patients by protecting them from specific harms. Either situation overrides the ethical principle of patient autonomy.

However, requiring mandatory reporting concerning abortions presents a circumstance of something being legal but unethical. There is guidance from the American Medical Association that “[i]n circumstances of unjust laws, ethical responsibilities should supersede legal duties.” This conundrum with the potential for civil disobedience is not unique, but is a variation on the “conscience” claim for refusing to provide abortion. Here, the ethical decision involves supporting the choice to have an abortion. The refusal to perform an abortion, as a matter of conscience, has frequently been asserted and legislatively recognized. But not performing an action required by one’s core beliefs can be just as harmful to an individual’s moral integrity. This “conscientious objection” should also be recognized.

New Jersey has already taken steps to enhance the HIPAA protection of PHI with the enactment of Bill A3975 on July 1, 2022. This new law prohibits any disclosures related to reproductive health care services that are permitted under the laws of this state without written consent of the patient or the patient’s authorized legal representative. This protection covers not only New Jersey residents but also a person who resides in a jurisdiction where abortion is illegal.

Many believe that the future of technology is artificial intelligence (AI). Everywhere we look, we see examples of AI seeping into various aspects of our lives. The complex algorithms that operate the facial recognition on our cell phones, the smart home devices that learn our preferences, the social media platforms that personalize our content, or the autonomous self-driving cars currently in development are all examples of an all-encompassing concept known collectively as AI, which comes in many forms and levels of complexity.

Not surprisingly, AI, especially machine learning-based technologies, has also become prevalent in the healthcare industry. There are many products currently on the market that help review and assess patient data to identify risk factors and possible areas of health concern. Technology is currently being used to scan x-rays, MRIs, colonoscopy video, and other imaging to help identify abnormalities. AI technology is helping to monitor in real-time vital signs and other data to perform risk assessments and detect patient needs. Healthcare providers are relying more and more each day on these advancing technologies to provide better quality and more efficient and timely care to patients.

While most recognize the significant benefits the continued advancement of AI could have on all aspects of our lives, its utilization in healthcare provides unique challenges. As of this writing, regulation of AI in the healthcare sector has been limited, with both the U.S. Food and Drug Administration publishing a set of guiding principles and the U.S. Department of Health and Human Services creating an AI Office and issuing a strategy document. Over the past several years, various Congressional Committees have also held hearings on the topic, but as of yet no formal legislation or regulatory proposals have come to fruition or appear imminent on the subject. Despite this inaction, the European Union has proposed the first of its kind regulation of AI (not just in the healthcare sector) known as the Artificial Intelligence Act and is moving toward an effective date sometime in 2024. All eyes are on the fate of this law, as it would likely be a driving force in shaping the regulation of AI not just in the European Union but in countries around the world.

In reviewing the proposed AI Act, and in considering possible legislative or regulatory action stateside, there are a number of key areas of concern that will likely be addressed and considered to ensure the safety of AI. These include:

  • Data privacy – Data is big business around the world and given the need for data to train AI systems, regulators will need to closely examine the limitations on the right of third parties to share or sell customer/patient health information that was originally shared for a different purpose. There are already laws on the books under HIPAA that preclude healthcare providers, insurance companies, and clearinghouses from selling patient information to third parties. However, HIPAA does not apply to non-covered entities. For example, when a person inputs their health information into an app on their phone, the developer of that app is not necessarily under any restrictions that would prevent it from sharing or selling the health information to other third parties.

 

  • Healthcare inequity – Healthcare inequity is a major focus in the industry right now and a priority of the current administration. AI, if not programmed properly, poses the risk of perpetuating these inequities – for example, if the algorithm is developed in such a way that there is bias built into it. Moreover, close attention must be paid to the data utilized to train the algorithm. If the data contains biases within it, then the technology will learn those same biases. And finally, if the data sets utilized to train the technology are not broad enough, then inequity can again creep into the technology.

 

  • Safety – As AI continues to evolve and advance, healthcare providers and others in the industry are likely to place greater reliance on its recommendations and conclusions. This will pose significant questions for regulators. For example, could this technology be considered the unlicensed practice of medicine? Moreover, if the technology misses a diagnosis, will insurance cover the malpractice claim? And would the healthcare provider who relied upon the technology, or the patient it was used on, have a claim against the manufacturer for the mistake?

 

  • Transparency – With our ever increasingly digital lives, communicating over the internet or generally through our phones and other devices can make it difficult to recognize when we are communicating with an artificially intelligent machine versus another person. Regulators will be looking to ensure transparency to ensure that individuals are fully on notice when it is not an actual person on the other end of the communication.

 

We cannot deny that AI technologies will only continue to advance and evolve. Given the rapid pace with which this is occurring, legislators and regulators are faced with the challenging task of trying to develop laws and regulations that can withstand the test of time. Moreover, they must balance the goals of advancement with the need to ensure that citizens are protected from possible abuses of the technology. We will continue to monitor AI-related developments impacting the healthcare sector as they inevitably occur.

The U.S. Departments of Health and Human Services, Labor, and the Treasury have issued final rules under the No Surprises Act, largely addressing the Independent Dispute Resolution process and downcoding.

As we previously reported, the U.S. District Court for the Eastern District of Texas issued a ruling that certain Centers for Medicare & Medicaid Services interim rules conflict with the federal No Surprises Act and must be set aside under the Administrative Procedure Act. The Court took particular issue with the rule that an Independent Dispute Resolution (IDR) entity must ordinarily select the offer closest to “the qualifying payment amount” (QPA), typically the median rate the insurer would have paid for the service if provided by an in-network provider or facility.

Following that ruling, HHS published “Federal Independent Dispute Resolution (IDR) Process Guidance for IDR Entities” dated April 2022. That guidance required IDR entities to consider the QPA and information that providers and plans submit during the IDR process. It does not establish the QPA as the presumptive appropriate amount.

Recently, on August 19, 2022, the Departments issued “Requirements Related to Surprise Billing: Final Rules.” The rules finalize requirements related to information that group health plans and health insurance issuers offering group or individual health insurance coverage must share about the QPA, and in consideration of the emerging caselaw.

Independent Dispute Resolution

The final rules further clarify the October 2021 interim final rules requiring IDR entities to select the offer closest to the QPA, unless the IDR entity determined that any additional credible information submitted by the parties demonstrated that the QPA was materially different from the appropriate out-of-network rate. The final rules specify that IDR entities should select the offer that best represents the value of the item or service under dispute after considering the QPA and all permissible information submitted by the parties. In performing this review, IDR entities are to evaluate whether the information provided relates to the payment amount offer submitted by either party, and whether the additional information is credible. The IDR entity should also evaluate the information to avoid double counting information that is already accounted for by the QPA or by any of the other information submitted by the parties.

The final rules also finalize provisions of the October 2021 interim final rules requiring IDR entities to explain their payment determinations and underlying rationale in a written decision submitted to the parties and the Departments. The final rules require that the written decision include an explanation of the information that the IDR entity determined as demonstrating that the selected offer is the rate for out-of-network services that best represents the value of the item or service. This includes the weight given to the QPA and any additional credible information regarding the relevant factors.

If the IDR entity relies on additional information or circumstances when selecting an offer, the final rules state that its written decision must include an explanation of why the IDR entity concluded the information was not already reflected in the QPA.

Downcoding

The final rules also clarify requirements for “downcoded” claims, to include information necessary to engage in meaningful negotiations. Previous interim rules described the practice and explained that it was permissible under certain circumstances, but without defining the term. The final rules define downcoding to mean the alteration by a plan or issuer of the service code to another service code or the alteration, addition, or removal by a plan or issuer of a modifier, if the changed code or modifier is associated with a lower QPA than the service code or modifier billed by the provider. Payers are required to:

  • Notify providers when downcoding occurs, including notification that the service code or modifier was downcoded;
  • Explain why their claim was downcoded; and
  • Provide the amount that would have been the QPA had the downcoding or modifier not been downcoded.

With ongoing challenges to the No Surprises Act, providers should continue to monitor changes to this law as it continues to take shape through new rules and additional guidance. We will keep you advised accordingly.

In response to the U.S. Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization and the resulting laws enacted in several states to prohibit abortions, New Jersey has passed new laws designed to protect individuals who visit New Jersey seeking reproductive healthcare services, in addition to the medical providers who provide them with care in New Jersey. These laws, however, do not change anything in New Jersey with respect to a woman’s right to abortion. Patients in New Jersey have, and continue to have, a right to in-clinic or medication abortions, without waiting periods, regardless of gestational age, and without parental notification if the patient is a minor.

Following the Court’s decision, and in anticipation of an increase in the number of out-of-state pregnant women traveling to New Jersey for abortion services, Governor Phil Murphy signed two bills on July 1, 2022 (A-3975/S-2633 and A-3974/S-2642) to shield these patients, along with New Jersey residents and medical providers, from lawsuits and other interventions from those states where abortion is now illegal. Part of the intent of these new laws is to ensure that the personal health information (PHI) of patients receiving comprehensive reproductive healthcare services in New Jersey, including abortion care, will be kept private, and to prevent PHI from being utilized by other states to investigate and prosecute individuals. New Jersey’s efforts are in furtherance, and consistent with, the continued efforts of the Office of Civil Rights (OCR) to administer and enforce the Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to prohibit healthcare entities from using or disclosing PHI absent an authorization from the patient.

What remains to be seen is how certain HIPAA exceptions, such as those for law enforcement purposes, will impact the protections of HIPAA. Governor Murphy’s nondisclosure bills attempt to address these concerns and will prohibit medical providers from disclosing certain information and/or communications about a patient’s reproductive healthcare services without the patient’s written consent in civil actions and other judicial proceedings. Likewise, public entities in New Jersey are forbidden from providing or using PHI in furtherance of any interstate investigation and/or proceeding that seeks to impose civil or criminal liability in connection with reproductive healthcare services on any person or entity.

Additionally, under the new laws, New Jersey licensing boards may not suspend, revoke, or decline to renew any license or registration of a medical provider based solely on the medical provider’s involvement in abortion-related services for a patient residing in a jurisdiction where abortion is illegal. Said differently, healthcare providers are protected from losing their professional licenses and/or registrations if they perform an abortion within New Jersey.

The bills also prohibit extradition of patients who travel to New Jersey for an abortion, along with patients who reside in New Jersey, in addition to the medical providers, for purported crimes relating to reproductive healthcare services that are unlawful in the outside state.

Further, New Jersey’s key law enforcement officials have taken a united position to share intelligence about threats to medical facilities and providers. They will also actively enforce the Freedom of Access to Clinic Entrances Act, a federal law prohibiting threats, force, obstruction, and property damage intended to interfere with reproductive healthcare services. Significantly, the New jersey Division of Consumer Affairs has vowed to protect the privacy of patients both within and outside of the state so that their private data will not be misused to target them.

As a result of these two new bills and the commitment of New Jersey’s law enforcement, New Jersey has established itself as a safe haven for women seeking reproductive healthcare services and the medical providers caring for them.

As we reported recently in a Client Alert, the Supreme Court of New Jersey’s recent decision in Rivera v. The Valley Hospital, Inc. aligned with prior case law in confirming that punitive damages in medical malpractice actions are only available in “exceptional cases.” Although the Rivera decision does not immunize medical defendants from claims for punitive damages, it reinforces the trial bench’s obligation to rigorously apply the standards for clear and convincing evidence of willful and wanton conduct, as our analysis of the ruling explains. We also proudly note that Greenbaum attorney John Zen Jackson acted as amicus counsel for the Medical Society of New Jersey and the American Medical Association, which submitted amici briefs in support of the defense in this matter.

On August 12, 2022, the U.S. District Court for the District of Minnesota entered an order in favor of Travelers Casualty and Surety Company of America, dismissing the complaint filed by SJ Computers, LLC, a Minnesota-based computer store. The case should serve as a cautionary tale to businesses across the country, underscoring the critical need to closely read the terms of any cyber insurance policies.

SJ Computers found itself the victim of a business email compromise attack when an attacker gained access to a purchase manager’s email account and sent the company’s CEO purchase orders, purportedly from one of SJ Computers’ existing vendors, Electronic Recyclers International Direct – with the bank account information edited. The CEO, without verifying the new bank information, sent two wire transfers to satisfy the invoices. After the payments had cleared, SJ Computers discovered the fraud and subsequently attempted to seek coverage under its cyber insurance policy by claiming that the attack was computer fraud rather than social engineering fraud because of the increased limits of coverage.

While acknowledging that lawyers had only identified three similar cases across the country, the judge identified a key distinction from those cases in this matter. The policy at issue here covers both computer fraud and social engineering fraud and makes clear that the two are mutually exclusive categories. The Travelers’ policy defines computer fraud, which provides coverage up to $1 million, “as intentional, unauthorized, and fraudulent entry or change of data or computer instructions directly into a computer system.” Moreover, the policy states that entries or changes made by employees or authorized persons on the basis of fraudulent instructions is not covered. Instead, such actions constitute social engineering fraud (which is what Travelers agreed to cover SJ Computers under) and is defined in the policy as “the intentional misleading of an employee or authorized person by a natural person impersonating [vendors, clients, employees or authorized persons] through the use of a communication.” Unfortunately for SJ Computers, this provision only provides coverage up to $100,000.

Based on the policy language, the court held that the claim was covered under the social engineering fraud provision, rather than the computer fraud provision. In a comment that underscores the important role individuals play in protecting a company, the judge stated:

“SJ Computers did not suffer a penny of financial loss when the bad actor hit ‘send’ on his email messages. And SJ Computers would never have suffered a penny of financial loss if the CEO had not opened those email messages, or if the CEO had asked the purchasing manager about them, or if ERI Direct had answered its phone when the CEO called, or if ERI Direct had promptly returned the voicemail message left by the CEO, or if the CEO had waited to hear from ERI Direct before paying the invoices.”

All businesses with cyber insurance should carefully review their policies and consult with legal counsel and their brokers to fully understand the scope and limitations of what they are purchasing. In today’s world of ever changing ways in which computers and other technology are being utilized to carry out attacks on businesses by bad actors, the circumstances surrounding the attacks and the language in these policies becomes even more critical to ensure that organizations are properly insured for losses. Moreover, as occurred here, efforts to keep employees ever vigilant in their efforts to identify and act on any suspicious information they encounter is paramount to keeping an organization safe.