On April 11, 2016, the Fourth Circuit Court of Appeals held that Travelers Indemnity Company of America must defend its insured, Portal Healthcare Solutions, L.L.C., for Portal’s failure to secure patients’ medical records during a four-month period in late 2013 and early 2014. The opinion is most remarkable in that the insurance policies at issue were traditional commercial general liability (CGL) policies, as opposed to more specialized cyber-liability or professional liability insurance policies.
According to the underlying class-action complaint giving rise to Portal’s claim for coverage, Portal left patients’ medical records accessible online and without password protection. Two named plaintiffs found their records after conducting a Google search for their names. Portal notified Travelers, who in turn rejected Portal’s request for a defense based on its belief that there had not been a “publication” of private medical information.
For many years, CGL insurance policies have provided coverage for, among other things, oral or written publication of material that violates a person’s right of privacy. In this case, there is no question that the medical records constituted material within the scope of the patients’ right of privacy. Travelers’ denial of coverage and arguments before the court asserted that there was no oral or written “publication” of the material, but “publication” was not defined under the CGL insurance policies at issue. The Fourth Circuit, agreeing with the district court, held that making the records available online “at least reasonably or arguably” constituted “publication.”
For insureds, the Fourth Circuit’s opinion provides some best practices with respect to insurance and preparing for and responding to a privacy event or data breach:
-
Identify the potential for coverage. Well in advance of renewal of your CGL, directors’ and officers’, and cyber-liability insurance policies, carefully analyze the potential for coverage for liability arising out of a possible privacy event or breach.
-
Aggressively negotiate policy terms. Where negotiation of the policy terms is possible (which they are in many cases), think strategically about how best to address any gaps in coverage. Also, carefully evaluate the implications of asking an insurer to clarify potential ambiguous terms (in this case, “publication”) based on the law that would apply to the interpretation of the policy. Sometimes an ambiguous term, coupled with case law, is good for the insured; other times it is not.
-
Privileged communications safeguard against surprises in contested claims. Understand that discussions of these issues can be privileged if with a coverage attorney but may not be if with an insurance broker.
-
Don’t judge a policy’s coverage by its title. When a potential claim has occurred, evaluate each of your insurance policies for coverage. Never assume that a certain type of insurance policy will not respond and keep up to date on changes in the law that might apply.
-
Whether there may be coverage can change. As facts or the case develops, periodically revisit the initial conclusion regarding the availability of coverage under each of your insurance policies.
©2025 MICHAEL BEST & FRIEDRICH LLP