A commercial general liability policy issued by Hartford Casualty Insurance Company covers defense costs and damages that may arise from two lawsuits brought by patients who alleged a massive data breach exposed their personal medical information to public view for over a year, a federal court in California held October 7. The U.S. District Court for the Central District of California rejected Hartford’s argument that the policy’s exclusion of statutory causes of action was triggered because the litigation was brought under the California Confidentiality of Medical Information Act (CMIA). The court found the exclusion did not apply because the state’s common law has long recognized a right to medical privacy.

Plaintiffs in the underlying litigation sued Stanford Hospital and Clinics and Corcino & Associates alleging the private medical information of almost 20,000 patients was posted on a public website for almost a year. The lawsuits alleged violations of plaintiffs’ constitutional and common law privacy rights, as well as statutory causes of action under the CMIA.

Corcino has a general liability policy issued by Hartford that covers damages stemming from the “electronic publication of material that violates a person’s right of privacy.” When Corcino sought defense and indemnification under that provision, Hartford argued the policy specifically excluded coverage for injuries “arising out of the violation of a person’s right to privacy” created by statute. Hartford asserted this argument in its lawsuit filed in federal district court seeking declaratory relief from having to defend and indemnify Corcino in the state court actions.

The federal district court agreed, however, to dismiss Hartford’s action after finding another clause in the policy, when construed in favor of coverage, made the exclusion inapplicable where the insured could be liable for damages under the common law. In other words, the exclusion only applied in instances where a claim arising out of an invasion of privacy is created by statute. In California, however, the courts have long recognized a right to privacy and allowed tort actions for violations of that right.

Hartford attempted to argue the exclusion was triggered because plaintiffs sought statutory remedies under the CMIA. According to the court, however, these remedies merely codified relief already available for a violation of medical privacy under the common law. “The statutes thus permit an injured individual to recover damages for breach of an established privacy right, and as such, fall squarely within the Policy’s coverage,” the court held.

Hartford Casualty Ins. Co. v. Corcino & Assocs., No. 2:13-cv-03728-GAF-JC (C.D. Cal. Oct. 7, 2013).