The Fourth Circuit Court of Appeals recently held that an insurer had a duty to defend an insured against class action allegations that the insured posted confidential medical records on the Internet. Two patients at Glen Falls Hospital discovered that when they conducted a “Google” search of their respective names, the first link that appeared was a direct link to their respective Glen Falls medical records. Glen Falls had contracted with Portal Healthcare Solutions, LLC (“Portal”) for the electronic storage and maintenance of its patients’ confidential medical records. A class action lawsuit was filed against Portal in state court in New York in April 2013. The suit alleged that patient’s confidential medical records were accessible, viewable, printable and downloadable from the internet by unauthorized persons without security restrictions from November 2012 to March 2013. Portal’s insurer, Travelers Indemnity Company of America (“Travelers”), filed a declaratory judgment action in the Eastern District of Virginia seeking a ruling it did not have a duty to defend under two insurance policies issued during consecutive years. One policy obligated Travelers to pay sums Portal became legally obligated to pay as damages because of injury arising from the “electronic publication of material that . . . gives unreasonable publicity to a person’s private life.” The second policy covered the “electronic publication of material that . . . discloses information about a person’s private life.”
In an unpublished decision, the Fourth Circuit adopted the reasoning of the district court in concluding there was a duty to defend. First, the court considered whether there was an alleged “publication” of electronic material. Second, the court examined whether the published material gave “unreasonable publicity” to or “disclose[d]” information about a person’s private life.
In concluding a publication was alleged, the court examined a dictionary definition of “publication” which defined publication as “to place before the public (as through a mass medium).” The court concluded that exposing medical records though the online search of a patient’s name, followed by a click on the first result, at least potentially or arguably places the records before the public. Therefore, Portal’s alleged conduct fell within the plain meaning of “publication.” The court rejected Travelers argument there should be no duty to defend because the purpose of the services Portal provided was to keep medical records private and confidential. The court reasoned that the definition of publication does not require intent to publish but focuses on whether the information was placed before the public. The court concluded “unintentional publication is still a publication.” The court also rejected Travelers’ argument that no publication occurred because no third parties were alleged to have viewed the information. The court reasoned the definition of publication does not hinge on third-party access but rather centers on whether the information was placed before the public. Consequently, the medical records were published the moment they became accessible to the public via an online search.
Turning to the second issue, the court concluded that making the medical records available online gave unreasonable publicity to a patient’s private life and disclosed information about a patient’s private life. The court stated “there can be no question that posting medical records online without security restriction exposes the records to the general view and thus, gives the records ‘publicity’ since, quite literally, any member of public can view, download, or copy those records.” With respect to the term “disclosure,” the court applied a dictionary definition defining the term as “the act or process of making known something that was previously unknown; a revelation of facts.” The court concluded that Portal revealed medical records previously known only to the patients to the public at large. Further, the question of whether any third parties had viewed the records did not matter because Portal had engaged in the “process” of making previously unknown records known to the public at large.
While the court concluded there was a duty to defend in Travelers Indemnity Company of America v. Portal Healthcare Solutions, LLC, the question of whether a company, which secures it servers and is hacked illegally by a third-party resulting in confidential patient records being compromised, has published those records is not answered. If there is no coverage for information exposed after a secure server is hacked, the irony is that an insured who arguably acts recklessly by not properly protecting its servers will have coverage while a company that secures its servers and is the victim of criminal conduct has no coverage.