Fourth Circuit: insurer has obligation to provide defense under CGL policy to data breach claim

April 25, 2016

Health Care Litigation Alert

Author(s): Kurt M. Mullen, Michael S. Cohen, Michal E. Ovadia

In an unpublished opinion, the United States Court of Appeals for the Fourth Circuit affirmed a district court’s ruling that an insurer has a duty, under Virginia law, to defend an insured against a putative data breach class action alleging the disclosure of medical records. Travelers Indemnity Co. of America v. Portal Healthcare Solutions, LLC, No. 14-1944 (4th Cir. Apr. 11, 2016). The district court’s ruling is noteworthy because it required coverage under a Commercial General Liability (“CGL”) policy.

The policyholder in Portal specialized in the electronic safekeeping of medical records for hospitals, clinics and other providers. In April 2013, a putative class action was filed in New York state court, alleging that the policyholder failed to safeguard patient medical records, resulting in the records being posted on the internet. Two patients discovered their own records when they conducted Google® searches of their names. The suit alleged that these records were accessible, viewable, copyable, printable and downloadable from the internet by unauthorized persons—though there was no allegation that anyone actually had downloaded the records or done anything else with them.

The insurer brought a coverage action against the policyholder in the Eastern District of Virginia seeking a declaration that it had no duty to defend the policyholder under either of the two general liability policies the insurer had issued. The district court rejected the insurer’s argument and entered summary judgment in favor of the policyholder.

In reaching its conclusion, the district court limited itself to the allegations of the class action complaint and the terms and conditions of the insurance policies, in accordance with Virginia’s so-called “Eight Corners’ Rule.” The court rejected the insurer’s argument that the alleged disclosure of protected health information was not a “personal injury” under Coverage B of the policies because the breach did not result in a “publication” of electronic material (because the breach was unintentional and no third party was alleged to have downloaded the records). Rather, the district court reasoned that the complaint’s allegations fell within the common dictionary definition of “publication.”

The district court also concluded that the online posting of the class action plaintiffs’ medical information also gave “unreasonable publicity” and “disclose[d]” information about the patients’ private lives, regardless of whether the records actually were downloaded by a third person.

The Fourth Circuit “commend[ed] the district court for its sound legal analysis,” similarly limiting itself to the class action complaint and the applicable insurance policies. The Circuit Court determined that the district court appropriately concluded that the disclosure of patient information on the internet was a “publication,” thereby coming within the policies’ coverage for purposes of the duty to defend. The Fourth Circuit did not address whether the insurer had a duty to indemnify the policyholder. Moreover, the Fourth Circuit’s opinion did not address whether this type of risk would be more appropriately covered by cyber liability insurance, which is an increasingly popular insurance product.

While the Portal decision represents a successful effort by a policyholder to compel coverage under a CGL policy for a data breach class action, its impact may be limited. The policies before the court in Portal included variations from the standard CGL policy form. In fact, more recent versions of the standard form exclude personal and advertising injury coverage for alleged violations of federal statutes such as the Telephone Consumer Protection Act (TCPA) and the Fair and Accurate Credit Transactions Act (FACTA). ISO also has created an endorsement for CGL coverage aimed at excluding coverage for data breaches altogether. In addition, the issue before the court in Portal was limited to an insurer’s duty to defend, which is broader than the duty to indemnify.

Given these limitations, as well as decisions in other jurisdictions that have concluded that data breach actions are not covered under standard CGL policies, it seems unlikely that the Fourth Circuit’s affirmance will have a significant impact on the continued development of the cyber liability insurance market. One can expect, however, that policyholders, both within and outside of the health care industry, will continue to argue that there may be coverage for data breaches under CGL policies.

The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.

Back to top