Insurers May Need a Doctor’s Note: Data Breach of Medical Records Triggers Coverage, Says Fourth Circuit

On Monday, April 11, 2016, the Fourth Circuit handed down a notable, albeit unpublished, decision with regard to an issue that has vexed the insurance industry, namely, do data breaches trigger a CGL insurer’s duty to defend under Coverage B? In Travelers Indemnity Company of America v. Portal Healthcare Solutions, L.L.C., the Fourth Circuit determined, under Virginia law, the underlying class action lawsuit, indeed, triggered Travelers’ duty to defend.

The underlying lawsuit was a class action complaint filed against, in pertinent part, Portal Healthcare Solutions, L.L.C. for allowing unauthorized access to patients’ medical records. Notably, Portal contracted with an upstate New York hospital to provide medical record hosting services. It is then alleged that for a span of approximately four months, patient information contained on the Portal servers was viewable by unauthorized persons.

The Travelers Indemnity Company of America (Travelers), which had issued to Portal two policies for the relevant period, filed suit seeking a declaration it did not have a duty to defend or indemnify Portal in relation to the class action complaint. Travelers argued specifically that the class action complaint did not allege a covered “publication” by Portal. On cross-motions for summary judgment, a Virginia federal district court determined that Travelers did have a duty to defend, relying on a dictionary definition of “publication” of “to place before the public (as through a mass medium).” The district court also rejected Travelers’ argument that there could be no “publication” absent proof of third-party access to the medical records. The district court instead opined that “the medical records were published the moment they became accessible to the public via an online search.”

On appeal, Travelers again insisted the class action complaint did not trigger its duty to defend. The Fourth Circuit, after acknowledging Virginia’s eight-corners rule, agreed with the district court’s assessment that the class action complaint “at least potentially or arguably” alleged “publication” of private medical information. Specifically, since any member of the public with an Internet connection could have viewed the private information on Portal’s servers, the Fourth Circuit concluded a “publication” could theoretically have occurred.

Despite being a blow to Travelers, the impact of Portal Healthcare may be limited for five reasons. First and most important, this is an unpublished decision and therefore non-precedential.

Second, Portal Healthcare is based upon a somewhat atypical fact scenario.  There, the insured, itself, was alleged to have negligently unsecured the medical records and allowed them to be available in cyberspace.  This is unlike the more commonly litigated data breach scenario where hackers are the cause of secret information being released to the public (or a common scenario not typically litigated where the insured’s employee loses a laptop—although, the insured may very well be required to notify all those potentially affected by the records made unsecure).  The distinction between the insured and the hackers being the cause of the “publication” can make all the difference.  See Zurich Am. Ins. Co. v. Sony Corp. of Am. Index Number 651982/2011 (N.Y. Sup. Ct. Feb. 21, 2014) (pending an appeal, the parties ultimately settled).

Third, this decision is squarely at odds with other courts’ rulings nationwide. For instance, the Connecticut Supreme Court in Recall Total Information Management, Inc. v. Federal Insurance Co., 317 Conn. 46, 115 A.3d 458 (2015), held that third-party access to private or secret information is a prerequisite to a “publication” in a data breach scenario. Absent a showing of access to the personal information, the court held that the underlying lawsuit was not covered under a commercial general liability policy.

Fourth, the Travelers’ policies did not include the new ISO endorsements specifically addressing the disclosure of private information. Thus, whether a data breach involved a “publication” may be moot for new CGL policies that completely, deliberately, and specifically bar coverage for losses due to data breaches.

Fifth, the ruling does not announce any grand interpretation of “publication” or the Publication Offense. Rather, it turns upon a duty to defend principle. In other words, the Fourth Circuit dodged the more significant question of what generally constitutes a “publication,” more generally. While one would reasonably expect that some indicia of an unauthorized third-party’s access to secret information would be necessary to trigger an insurer’s duty to defend under the Publication Offense, the court’s opinion suggests that the mere hypothetical possibility that the secret information could have been accessed is sufficient. At bottom, that conclusion rests on a classic duty to defend principle, which suggests strongly why the Fourth Circuit did not deem this opinion as one warranting “publication” in the reporters (no pun intended).