On August 7, 2014, the United States District Court for the Eastern District of Virginia held in Travelers Indemnity Company of America v. Portal Healthcare Solutions, LLC, No. 1:13-cv-917 (E.D. Va. Aug. 7, 2014), that online posting of patient medical information constituted “publication,” whether or not it was viewed by a third party, and therefore triggered the insurer’s duty to defend its insured against a class action seeking damages for breach of privacy claims.
The underlying litigation involved claims by former patients at Glen Falls Hospital (“Glen Falls”) who discovered, after their discharge, that their confidential medical records had been posted online. The patients had conducted ordinary Internet searches of their names and discovered that the information was online. They commenced a class action lawsuit alleging negligence, breach of contract and other counts against Portal Healthcare Solutions, LLC (“Portal”), the company hired by Glen Falls to keep patient medical records secure.
Portal was insured under two Travelers Indemnity Company of America (“Travelers”) insurance policies. The policies obligated Travelers to, among other things, defend and indemnify Portal against claims arising from: (1) the “electronic publication of material that … gives unreasonable publicity to a person’s private life” (the language in the 2012 policy); and (2) the “electronic publication of material that … discloses information about a person’s private life” (the language in the 2013 policy). Travelers denied coverage, contending that the claims against Portal were not covered because (1) Portal did not intend to publish the information; and (2) no third party was alleged to have viewed the information — only plaintiffs who “Googled” their own names. Portal contended that the claims did, in fact, trigger coverage under the policies because the alleged misconduct fell within the policy coverage for “publication” giving “unreasonable publicity” to or “disclos[ing] information” about a person’s private life. Both parties moved for summary judgment.
The court rejected Travelers’ argument that the online posting was not a “publication.” According to the court, the term “publication” does not hinge on the would-be publisher’s intent; rather, it hinges on whether the information was placed before the public. In that regard, the court also rejected Travelers’ argument that the conduct did not amount to a “publication” because no third party was alleged to have viewed the information. The court found that “publication” does not require third-party access, but only that the information be “placed before the public,” such that the information is merely available to the public, even if nobody ever accesses or reads it. As the court explained, “the definition of ‘publication’ does not hinge on third-party access … [b]y Travelers’ logic, a book that is bound and placed on the shelves of Barnes & Noble is not ‘published’ until a customer takes the book off the shelf and reads it.”
The court also distinguished Travelers’ case authority where courts found no “publication” in circumstances where a customer was handed a receipt with that customer’s personal credit card information on it or when computer tapes fell out of a van and were never recovered. In those cases, according to the court, the information was accessible by only a single person or thief whereas, here, the patients’ information was accessible by anyone with a computer and Internet access.
Portal Healthcare supports an expansive interpretation of the term “publication,” demonstrating that the term applies to any act that enables access to private information, even if the private information may not have been accessed. Although the decision appears to have concerned a policy specifically designed to cover “electronic communications,” the court’s construction supports the principle that the personal injury provisions of standard general liability policies, which apply to publications violating the right of privacy, apply to data breaches and other cybersecurity events, as those events lead to data being available, whether or not it is reviewed. The decision stands as a reminder, therefore, that policyholders presented with claims alleging data loss or data breach are entitled to coverage under standard general liability policies as well as under specialty cyber policies.