New Cyber Breach Coverage Case Holds For Policyholders In Defining "Publication" and “Disclosure” In Insurance Policy

Travelers Indem. Co. of Am. Vs. Portal Healthcare Solutions.On April 11, 2016 the Fourth Circuit Court of Appeals agreed with the lower court that the insurer must defend a health care firm in a cyber breach under its comprehensive general liability policy that includes this still relatively new area of coverage. The Federal appellate court rejected the insurer’s arguments that the health care firm must itself breach the patent’s confidentiality as opposed to being hacked by third parties. The Federal appellate court also rejected the insurer’s arguments that the patents whose medical records were disclosed had to prove for insurance purposes that third persons accessed the information online or elsewhere.

In April 2013, a class action lawsuit was led in New York Supreme Court, which Portal Healthcare Solutions; LLC (“Portal”) was accused of allowing patient medical records to be accessible from November 2, 2012 to March 14, 2013.

Portal was accused of negligence, breach of warranties and breach of contract. Portal was insured for the relevant period of time through CGL policies issued by Travelers Indemnity Co. of America (“Travelers”). In 2013, Travelers led a lawsuit in the U.S Court of Alexandria, seeking a declaration it was not obligated to defend Portal Healthcare because the class action did not allege “personal injury” or “website injury” as defined in the policies.
The Federal Fourth District Court of Appeals is often known as a pro-insurance company jurisdiction but here has ruled in favor of the insured in a manner consistent with other States that may be seen as more pro-policyholder. The Fourth District follows the so-called “Eight Corners” Rule which requires a court interpreting an insurance policy to review the “four corners” of the underlying complaint and the “four corners” of the underlying insurance policy. States such as California allow for extrinsic evidence to be considered, though this often means that the extrinsic evidence reviewed is that which is favorable to the policyholder.

Also of significance in its ruling, the Fourth District Court of Appeals expressly rejected any narrow definition of the words “publication” or “disclosure” in such policies issued to companies that provide services of maintaining computer secrecy of patient medical records. The appellate court rejected Traveler’s effort to parse alternative dictionary definitions and found the “plain meaning” of those terms did not require anything more than the information becoming available on the Internet. It does not require proof of a third person reading the information and does not require proof of any intentional disclosure by the insured company.

Thus, the Federal Court of Appeals affirmed the finding of the lower court that there was coverage for the insured company in defending against the class action which plaintiff patients brought as a result of the publication on the Internet of their private medical records. This case is significant because it provides guidance in defining the scope of such policies concerning cyber breaches and class action lawsuits by consumers who allege injury arising from cyber breaches.