On Monday, the Fourth Circuit held that Travelers must defend Portal Healthcare in a class action claim arising out of an alleged medical records data breach.
The class action, filed in New York state court in April 2013, alleges that Portal negligently failed to secure its server containing confidential records of patients at a hospital in Glen Falls, New York. This alleged failure made the records publicly available online. When patients noticed their personal information was readily available online, they notified Portal and subsequently filed suit.
After the data breach, Portal sought coverage under two policies it maintained with Travelers, which purported to cover electronic publication of materials from January 2012 to January 2014. Travelers denied coverage and Portal brought suit in Virginia federal court.
In an unpublished opinion. the Fourth Circuit panel on Monday adopted the reasoning of the trial court’s August 2014 decision. In that decision, U.S. District Judge Gerald Bruce Lee held that by disclosing confidential patient information, Portal had effectively published that information. As such, he concluded that Travelers had a duty to defend Portal, as the breach had triggered the personal and advertising injury coverage provision contained in the Travelers policy. Travelers argued that it had no duty to defend because Portal did not intend to publish the medical information, and because the class members offered no evidence that any third parties had actually viewed the information. Rejecting this argument, Judge Lee noted that “publication occurs when information ‘is placed before the public,’ not when a member of the public reads the information placed before it.”
Travelers appealed, and the Fourth Circuit panel confirmed Judge Lee’s “sound legal analysis.” The Fourth Circuit affirmed Judge Lee’s ruling based on the “eight corners” rule, whereby the court compares the allegations of the complaint to the language of the policy to determine whether the claim could potentially fall within the coverage grant. “We agree with the opinion that Travelers has a duty to defend Portal against the class-action complaint,” the Fourth Circuit wrote. “Given the eight corners of the pertinent documents, Travelers’ efforts to parse alternative dictionary definitions [of publication] do not absolve it of the duty to defend Portal.”
As mentioned above, the decision was unpublished, so it is not considered binding precedent in the Fourth Circuit; nor, of course, is it binding on any other court. Also, the facts are distinguishable from other data breach cases which have found that there is no coverage under a traditional liability policy for alleged “publication” of private information. In this case, the information was allegedly “published” by Portal — the insured under the policy — rather than by a third party, such as a hacker, as was the case with Sony, for example. Moreover, many traditional policies now have specific exclusions that address loss of electronic data. Thus, it is difficult to say whether this case will have any far-reaching implications or if it will be confined to its facts. Either way, it has generated a lot of buzz and it is certain to be – as it should be – a topic of conversation among those in the insurance industry. Whichever way you come down on the decision, it by no means settles the debate on whether a CGL policy covers a data breach claim, though it may provide some fodder for the debate to drag on a little longer.
The case is Travelers Indemnity Co. of America v. Portal Healthcare Solutions, LLC, No. 14-1944, U.S. Court of Appeals for the Fourth Circuit.