In April 2013, Glens Falls Hospital admitted that the medical records for more than 2,300 of its patients were stored for several months on an unprotected computer server. The hospital’s outside records contractor, Portal Healthcare Solutions LLC (“Portal”), confirmed that it stored thousands of notes from doctors on the unprotected server. Not surprisingly, a class action was filed in New York by the patients whose private medical records were exposed on the internet. The two named plaintiffs’ claimed that when they searched their names on Google, the first links that appeared were to their private medical records from the Glens Falls Hospital.
During the material time, Portal was insured by Travelers Indemnity Company of America (“Travelers”). The complaint alleged that confidential medical records were available on the internet from November 2012 to March 2013, implicating potential coverage under two calendar year policies. Under the 2012 policy, Portal was eligible for coverage pursuant to the Part B Personal and Advertising Injury provision if Portal became legally obligated to pay damages because of an injury arising from the “electronic publication of material that…gives unreasonable publicity to a person’s private life.” Under the 2013 policy, Portal was eligible for coverage pursuant to Part B if the offending injury was the result of the “electronic publication of material that…discloses information about a person’s private life.” Travelers took the position that it had no duty to defend Portal because the class action complaint failed to allege a covered publication under either policy.
In July 2014, the District Court granted summary judgment ruling that Travelers was duty bound to defend Portal because under either policy, the public exposure of medical records on the internet amounted to a “publication” as that word is commonly understood. Further, the trial court found that public availability of a patient’s confidential medical records gave “unreasonable publicity” and “disclosed information about a person’s private life,” thus satisfying the second prong of the Part B language in both policies.
Recently, in an unpublished decision, the Fourth Circuit Court of Appeals confirmed that the District court correctly applied Virginia law by following “the four corners of the underlying [class action] complaint” and “the four corners of the underlying insurance policies” and noted that “an insurer’s duty to defend an insured ‘is broader than its obligation to pay’ or indemnify an insured” under Virginia law.
Applying these principles, the court concluded that the class action complaint “at least potentially or arguably” alleged a “publication” of private medical information by Portal that constitutes conduct covered under the Policies. Such conduct, if proven, would have disclosed information about the patients’ private lives because anyone with an internet connection could have viewed the plaintiffs’ private medical records.
Interestingly, the Insurance Services Office (“ISO”) issued a new CGL form effective May 2014 that would have likely changed the outcome in this case. The new form CGL policy contains an endorsement that specifically excludes data breach claims. Separate policies are available that provide for coverage of privacy breaches or cyberliability. However, small and medium sized companies typically rely on a CGL policy only. Where there is an inadvertent or intentional disclosure of private health information occurring after May 2014, the new form CGL policy may not provide sufficient protection from liability.