In an encouraging development for insureds, the United States Court of Appeals for the Fourth Circuit held that a health care company’s general liability insurer was required to defend the company against claims stemming from an alleged failure to secure electronic medical records. In The Travelers Indemnity Co. of America v. Portal Healthcare Solutions, L.L.C., No. 14-1944 (4th Cir. Apr. 11, 2016), the Fourth Circuit held that the breach resulted in a “publication” of medical records, thus falling within the scope of the general liability policy issued to Portal Healthcare Solutions, L.L.C. (“Portal”). The decision reaffirms that insureds that experience adverse cyber events are not limited to cyber-specific policies as the source of potential insurance coverage.
Portal’s insurer, The Travelers Indemnity Company of America (“Travelers”), commenced litigation in the United States District Court for the Eastern District of Virginia, seeking a determination that it was not required to defend Portal against a putative class action alleging that Portal negligently failed to secure a server hosting medical records, which resulted in those records becoming available on the Internet. Ruling on cross-motions for summary judgment, the District Court sided with Portal, reasoning that the allegations “at least potentially or arguably” alleged a “publication” of private medical information that either (a) gave “unreasonable publicity” to the patient’s private life, or (b) “disclose[d] information” about the patient’s private life. Either circumstance triggered a coverage obligation under the Travelers policies.
On appeal, the Fourth Circuit largely adopted the reasoning of the District Court, which held that the underlying class action complaint alleged a “publication” of private medical information by Portal because Portal’s alleged inaction to secure the patient medical records allowed any online user to view those records over a period of four months. Such conduct fell within the plain meaning of the policies’ undefined term “publication,” which the court held meant “to place information before the public.” The allegations further fell within the policy requirements because such conduct, if proven, “would have given ‘unreasonable publicity to, and disclose[d] information about, patients’ private lives,’ because any member of the public with an internet connection could have viewed the plaintiffs’ private medical records during the time the records were available online.”
The decision highlights that commercial general liability policies are a potential source of coverage in the context of emerging issues such as cyberliability. The decision further underscores the importance of closely analyzing policies for ambiguities. If an insurer fails to define a term, courts are willing to broadly interpret that term in support of coverage. This is true even if the alleged injury arose from a type of risk not contemplated when the policy language was originally drafted. In this sense, broadly worded policies can evolve and address non-traditional legal issues faced by many of today’s insureds.
For these reasons, insureds should seek guidance from experienced coverage counsel if faced with an adverse cyber event. While a cyber-specific policy may be an appropriate (or even necessary) part of a complete risk management program, such coverage may not be the only insurance available to respond to an adverse cyber event. Coverage counsel can help to maximize the potential for coverage under each of the policies in an insurance program, including general liability and other traditional lines of insurance.