In an encouraging development for insureds, the United States Court of Appeals for the Fourth Circuit held that a health care company’s general liability insurer was required to defend the company against claims stemming from an alleged failure to secure electronic medical records. In The Travelers Indemnity Co. of America v. Portal Healthcare Solutions, L.L.C., No. 14-1944 (4th Cir. Apr. 11, 2016), the Fourth Circuit held that the breach resulted in a “publication” of medical records, thus falling within the scope of the general liability policy issued to Portal Healthcare Solutions, L.L.C. (“Portal”).  The decision reaffirms that insureds that experience adverse cyber events are not limited to cyber-specific policies as the source of potential insurance coverage.

Portal’s insurer, The Travelers Indemnity Company of America (“Travelers”), commenced litigation in the United States District Court for the Eastern District of Virginia, seeking a determination that it was not required to defend Portal against a putative class action alleging that Portal negligently failed to secure a server hosting medical records, which resulted in those records becoming available on the Internet. Ruling on cross-motions for summary judgment, the District Court sided with Portal, reasoning that the allegations “at least potentially or arguably” alleged a “publication” of private medical information that either (a) gave “unreasonable publicity” to the patient’s private life, or (b) “disclose[d] information” about the patient’s private life.  Either circumstance triggered a coverage obligation under the Travelers policies.Continue Reading Court Upholds Coverage Under General Liability Policy for Claim Alleging Failure to Protect Data