Federal Court Rules Data Breach Covered by CGL Insurance Policy
A federal appeals court ruled this week that Travelers Insurance has a duty to defend Portal Healthcare Solutions in a class-action lawsuit filed by patients whose medical records were exposed on the Internet in 2013.
The lawsuit was filed following the exposure of 2,300 patients’ medical records in 2012/2013. The records were stored on computer server that could be accessed over the Internet, and the data of some patients had been indexed by the search engines. Two patients filed a class-action lawsuit after discovering their data could be accessed via Google.
The patients claimed they both searched for their own names on Google and the first links that appeared were for their medical records. Both were patients of Glen Falls Hospital in New York.
The lawsuit was filed against Portal Healthcare Solutions, which was contracted by Glen Falls Hospital to store patients’ medical records. The server on which doctors’ notes were stored should have been secured; however, a configuration error resulted in data being left unprotected. The files were accessible due to a misconfigured firewall, which was attributed to human error.
Get The Checklist
Free and Immediate Download
of HIPAA Compliance Checklist
Delivered via email so verify your email address is correct.
Your Privacy Respected
A spokeswoman for Glen Falls Hospital said that there was no way of determining if the records were accessed during the time they were exposed, although Portal Healthcare Solutions claimed a forensic analysis of access logs showed there was no third party access.
Portal Healthcare Solutions had purchased a commercial general liability insurance policy (CGL) from Traveler’s Insurance at that policy was active at the time of the data breach. Portal believed the policy provided cover under Coverage Part B Personal and Advertising Injury. That section of the policy provided cover if Portal was obliged to pay damages as a result of the “electronic publication of material” resulting in “unreasonable publicity to a person’s private life.” Traveler’s Insurance disagreed.
A declaration was sought by Travelers in 2013 that it was not obliged to defend its client as the incident was not covered by the terms of the policy. Travelers claimed that there was no personal injury or publication because the records were not “intentionally published” on the Internet and no third party gained access to the records.
The District Court for the Eastern District of Virginia ruled in August, 2014., that the privacy breach was covered under the terms of the policy. Travelers appealed the decision but earlier this week the U.S. Court of Appeals for the 4th Circuit upheld the district court’s decision.
The court ruled that the plaintiffs’ records were published, even though the publication was unintentional, saying “Publication occurs when information is placed before the public, not when a member of the public reads the information placed before it,” and that the publication gave “unreasonable publicity” to the patients’ private lives.
Insurance Journal reported that Travelers argued that in 2015, the Connecticut Supreme Court ruled there was no coverage under a CGL issued by Federal Insurance Company and Scottsdale Insurance Company following the loss of backup tapes containing the personal information of IBM employees. The tapes had fallen out of an Executive Logistics van during transportation and were taken by a member of the public and were not recovered. The Connecticut Supreme Court ruled that there was no coverage in that case as there was no evidence that the information had been accessed.
However, the circuit court said that in the case of Travelers that precedent did not apply. This was not a case of one individual potentially gaining access to the backup tapes. The Portal breach involved records being accessible by anyone with a computer and an Internet connection.
Travelers is now obliged to defend Portal in the lawsuit, but the decision is likely to see Traveler’s Insurance add a clause in future CGL policies excluding the publication of records on the Internet. It is probable that similar clauses will be introduced by other insurers.