Fourth Circuit Holds That The Accidental Disclosure of Medical Records on the Internet Triggered Duty to Defend

In Travelers Indemnity Company of America v. Portal Healthcare Solutions, LLC, the Fourth Circuit recently affirmed a federal district court’s determination that a class action lawsuit arising out of a medical records safekeeping firm’s alleged failure to safeguard confidential medical records triggered an insurer’s duty to defend under a policy that afforded coverage for damages arising out of “electronic publication of material that… gives unreasonable publicity to a person’s private life” or the “electronic publication of material that… discloses information about a person’s private life” (the specific policy language changed at renewal, but the court found them materially identical).

In the underlying class action lawsuit, the class representatives alleged that Portal Healthcare Solutions, a firm specializing in the safekeeping of electronic medical records, failed to safeguard confidential patient information when it inadvertently posted their records on the internet, thus rendering the confidential records publicly accessible.  Notably, the underlying class action lawsuit did not allege that any third-party viewed the records.

The trial court and the Fourth Circuit concluded that the inadvertent placement of the records on the internet constituted a “publication” because any member of the public could retrieve the records.  In so ruling, the trial and appellate courts rejected Travelers’ argument that there was no “publication” because the publication was unintentional, explaining that a publication is a publication regardless of intent.  Travelers also argued there was no “publication” because there was no allegation that any third-party accessed the information.  Disagreeing, the courts held that a “publication” occurs when information is “placed before the public,” such that the actual viewing of that information is irrelevant.   Travelers also argued that the disclosure did not amount to giving “publicity,” because Portal “did not take steps designed to attract public interest or gain public attention or support.”  The trial court and Fourth Circuit likewise rejected that argument, explaining that Portal “enagage[d] in the process of making previously unknown records suddenly known to the public at large,” and thus gave “publicity” to the records.

The trial court and the Fourth Circuit expressly distinguished this case from cases where data was stolen by an individual, because, here, the insured actively, albeit unintentionally, disclosed confidential information to the public at large.  Accordingly, it does not appear that this case can easily be extended to the hacking/cyber liability context.

Significantly, neither court explicitly stated the type of policies at issue, however the language at issue is similar to that found in Coverage B of standard CGL policies.

Click here for the unpublished Fourth Circuit opinion.  The citation for the published trial court opinion is Travelers Indem. Co. of Am. v. Portal Healthcare Sols., LLC, 35 F. Supp. 3d 765 (E.D. Va. 2014), aff’d sub nom. Travelers Indem. Co. of Am. v. Portal Healthcare Sols., L.L.C. (4th Cir. Apr. 11, 2016).

– – – – – – – – – – – – –

Please contact any of our attorneys if you have any questions or would like to discuss this case in greater detail.