The New Mexico Court of Appeals affirmed the trial court's granting of summary judgment to the insured, agreeing that there was coverage under the cyber policy for a fraudulent transfer of money. Kane v. New Mexico Health Connections, Inc., 2025 N.M. App. LEXIS 38 (N.M. Ct. App. June 16, 2025).
New Mexico Health Connections, Inc. (NMHC) held a cyber breach response policy from Beazley USA Services, Inc. A third-party posing as a NMHC vendor, OptumRX, emailed a fraudulent invoice to NMHC requesting payment at a fraudulent bank account. NMHC wired $4,415,833.11 to the fraudulent bank account from its Wells Fargo account. When OptumRX was not paid, it sued NMHC. The claim was reported to Beazley, who denied the claim. Beazley contended that the OptumRX claim did not trigger third-party liability coverage under the policy, and even if it did, loss of money exclusions barred coverage.
The policy provided coverage "for . . . a security breach." "Security breach" was defined as "a failure of computer security to prevent . . . unauthorized access or use of computer systems, including unauthorized access or use of computer systems . . ." Two loss of money exclusions provided as follows:
The coverage under this Policy will not apply to any loss arising out of:
. . .
2. any loss, transfer or theft of monies, securities or tangible property of the insured or others in the care, custody or control of the insured organization.
3. the monetary value of any transactions or electronic fund transfers by or on behalf of the insured which is lost, diminished, or damaged during transfer from, into or between accounts.
NMHC sued Beazley for breach of the policy. The parties filed cross-motions for summary judgment. The trial court concluded that the policy covered OptumRX's claim against NMHC and that no exclusion applied. Summary judgment was granted to NMCH, and it was awarded $3,533,804.55, the invoiced amount remaining unpaid to OptumRX after a portion of the funds diverted by the security breach were recovered. Beazley appealed.
The parties agreed that there was a "security breach." The dispute focused on the meaning of the preposition "for" in the phrase "for a security breach." Beazley argued that OptumRX did not assert a claim against NMHC "for a security breach " because OptumRX did not allege that, as a result of such a breach, information pertaining to OptumRX was stolen or compromised. Beazley argued that "for" meant "equivalent to" and coverage was provided only for a loss directly connected to the security breach,
NMHC construed the phrase "claim for a security breach" to include a third-party claim for damages where a security breach was casually connected to the loss. The preposition "for" required only a causal connection between the loss or damages claimed and the security breach. NMHC defined "for" as meaning "because of," "arising out of," or "as a result of."
The court found the phrase to be ambiguous, and construed the ambiguity in favor of NMHC. The appellate court agreed with the trial court that the policy's coverage included claims of loss "because of," "resulting from," or "on account of" a security breach.
The court then turned to the loss of money exclusion. Beazley argued section three of the exclusion applied, but did not provide any explanation. Therefore, the court declined to discuss the issue further. Beazley further argued that the funds transferred were in the "care, custody or control" of NMHC and therefore the exclusion applied. The court disagreed, finding that the funds were in the "care, custody or control" of Wells Fargo.
The decision of the trial court was affirmed.
