Why it matters

Policyholders must be vigilant to ensure that they carry the appropriate insurance to provide coverage for cyber-related losses. In a recent case, a Virginia federal court ruled that coverage was triggered for a lawsuit accusing the insured company of posting confidential medical records on the Internet – even though there was no evidence that anyone ever viewed the information. The court rejected a host of insurer arguments, including that the posting was accidental and the records were not really published. “[E]xposing confidential medical records to online searching is ‘publication’ giving ‘unreasonable publicity’ to, or ‘disclosing’ information about, a person’s private life,” the court concluded, ordering the insurer to defend. This case highlights the need for a forward-looking insurance program related to electronic information.

Detailed Discussion

When patients of Glen Falls Hospital conducted a Google search of their names, the first link that appeared contained a direct link to their medical records. Two patients filed a putative class action alleging that their confidential medical records were accessible and downloadable from the Internet without any security restrictions over a period of several months.

Glen Falls had contracted with Portal Healthcare Solutions for the electronic storage and maintenance of its patients’ medical records. The suit named both Glen Falls and Portal as defendants.

Portal turned to Travelers Indemnity Company to defend the underlying litigation. Travelers disputed its coverage obligations, and Portal filed suit in Virginia federal court.

The court found that the Travelers policy contained two prerequisites to coverage. First, the policies required an electronic “publication” of the material. Second, the published material must have given “unreasonable publicity” to, or “disclose[d]” information about, a person’s private life. The court concluded that the underlying complaint met both prerequisites.

The court rejected Travelers’ argument that the online posting was not a “publication” because the term “publication” does not hinge on the would-be publisher’s intent. Rather, it hinges on whether the information was placed before the public. The court also rejected Travelers’ argument that the posting did not amount to a “publication” because no third party was alleged to have viewed the information. The court found that “publication” does not require third-party access, but only that the information be “placed before the public,” such that the information is available to the public, even if nobody ever accesses or reads it.

As the court explained, “the definition of ‘publication’ does not hinge on third-party access. . . . By Travelers’ logic, a book that is bound and placed on the shelves of Barnes & Noble is not ‘published’ until a customer takes the book off the shelf and reads it.”

As for the second prerequisite, the court found that “[t]here can be no question that posting medical records online without security restriction exposes the records to the general view and thus, gives the records ‘publicity’ since, quite literally, any member of the public can view, download, or copy those records.”

The information clearly “disclosed” information about the patients’ personal lives the moment the records were posted online, regardless whether a third party viewed them. The posting made medical records previously known only to the patient suddenly known to the public at large, the court ruled. As such, the allegations of the complaint triggered Travelers’ obligation to defend.

To read the opinion in The Travelers Indemnity Company of America v. Portal Healthcare Solutions, click here.