Data Protection Report - Norton Rose Fulbright

On April 11, 2016, the Fourth Circuit Court of Appeals upheld a ruling by the Eastern District of Virginia that two Commercial General Liability (“CGL”) insurance policies required an insurer cover the defense of a medical records company in a class-action claim relating to alleged failure to secure patients’ medical records.[1]

The Class Action and the Coverage Dispute

On April 18, 2013, a class action was filed in state court in New York, alleging that medical records company Portal Healthcare Solutions, LLC (“Portal”) had contracted with Glen Falls Hospital to electronically store and maintain its patients’ medical records (the “Class Action”).  However, two patients alleged that they conducted a Google search of their own names and the first link that appeared was to their Glen Falls medical records.[2]  According to the class action complaint, the information was available and accessible on the internet for more than four months (from November 2012 to March 2013).

A few months later, on July 30, 2013, Portal’s insurer, Travelers Indemnity Company of America (“Travelers”), filed a suit for declaratory judgment in the Eastern District of Virginia, seeking a declaration that the Class Action was not covered under either of two effectively identical CGL policies it had issued to Portal (the “CGL Policies”).[3]  Portal disagreed.  Travelers and Portal filed cross-motions for summary judgment, seeking a determination from the court on whether Travelers owed Portal the duty to defend.

The CGL Policies

Both of the CGL Policies covered portions of the four-month period alleged in the class action complaint and insured “Personal Injury.”[4]  Coverage for “Personal Injury” included alleged “electronic publication of material that . . . gives unreasonably publicity to a person’s private life.”[5]

The District Court Holds that the Class Action Alleged “Personal Injury”

Because the Class Action was ongoing, the parties’ dispute was limited to whether Travelers had a duty to defend the Class Action.[6]  The District Court held that, applying the unambiguous terms of the CGL Policies, the duty to defend was triggered by the Class Action’s allegations.[7]

First, the court noted that, under the “Eight Corners Rule,” Travelers had a duty to defend Portal “so long as the [Class Action] alleges grounds for liability ‘potentially or arguably covered by the [CGL Policies].”[8]  The court also noted that determination of the duty to defend was a “pure question of law” to be determined “by comparing what [the plaintiff in the underlying suit] has alleged . . . with the language of the insurance policy.”[9]  And “any uncertainties regarding [the CGL Policies’] language must be construed in favor of the insured.”[10]

Whether the duty to defend had been triggered depended on two questions:

  • Was there “an electronic ‘publication’ of material”; and
  • Did any “published material g[a]ve ‘unreasonable publicity’ to, or ‘disclose[d]’ information about, a person’s private life”?

The District Court held that the answer to both questions was “Yes.”[11]

The Class Action Alleged That Portal “Published” the Medical Records

First, the District Court held that the Class Action alleged that Portal electronically “published” the Medical Records.[12]  “Publication” was not defined by the CGL Policies, so the District Court gave the term its “plain and ordinary meaning,” holding that “publication” means “to place before the public (as through a mass medium).”[13]  Based on that definition, the District Court held that “[e]xposing medical records to the online searching of a patient’s name, followed by a click on the first result, as least ‘potentially or arguably’ places those records before the public.”[14]

The Class Action Alleged That Portal Gave “Unreasonable Publicity” to, and “Disclosure” About, Patients’ Private Lives

Second, the District Court held that the Class Action alleged Portal had given “unreasonable publicity” to, and “disclosure” about, patients’ private lives.[15]  The CGL Policies did not define “publicity” or “disclose,” so the Court defined those terms to mean “the quality or state of being obvious or exposed to general view” and “[t]he act or process of making known something that was previously unknown.”[16]

Based on those definitions, the Court held that the allegation that the information was searchable from Google alleged that the information was given “publicity,” because it was “exposed to general view.”[17]  And by allegedly allowing “the unrestricted posting of medical records on the internet,” the information was allegedly “disclosed,” because it “made known something that previously had been unknown.”[18]

Thus, because the Class Action alleged “electronic publication of material that . . . gives unreasonably publicity to a person’s private life,” the District Court held that it alleged “Personal Injury” under the CGL Policies, and Travelers’ duty to defend was triggered.[19]

The Fourth Circuit Affirms the District Court’s Holding

On appeal, the Fourth Circuit affirmed the District Court’s ruling.[20]  The Fourth Circuit specifically agreed with the District Court’s analysis that the Class Action “at least potentially or arguably alleges a publication of private medical information” and that “[s]uch conduct, if proven, would have given unreasonable publicity to, and disclose[d] information about, patients private lives.”[21]

The Fourth Circuit also reiterated that insurance coverage is broadly interpreted, holding that, “where there is doubt as to [a policy’s] meaning,” it will be interpreted “in favor of the[] interpretation which grants coverage, rather than that which withholds it.”[22]


The rulings in the Travelers opinions show that insurance coverage for data breach lawsuits may extend outside of policies written specifically to cover data breach scenarios.  The opinions also show the extent courts interpret insurance policies in favor of coverage.

However, the extent to which Travelers will be relied on as precedent in future cases is unclear.  Specifically, it is not clear that a hacker’s posting of private information on the internet would constitute a “publication” of information, even under a similar policy.  Instead, the Class Action alleged that it was Portal’s own negligence that resulted in the information being published on the internet.[23]  In fact, the District Court specifically distinguished the facts alleged in the Class Action from a “thief” obtaining personal data electronically.[24]

To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.


[1] See Travelers Indem. Co. v. Portal Healthcare Sols., L.L.C. (the “Travelers Appeal”), No. 14-1944, — Fed.Appx. —-, (4th Cir. Apr. 11, 2016).

[2] See Halliday v. Glens Falls Hospital, Complaint, No. 2013-1376 (N.Y. Supr. Ct. Apr. 18, 2013).

[3] See Travelers Indem. Co. v. Portal Healthcare Sols., L.L.C., Complaint for Declaratory Judgment, [D.E. 1], No. 1:13-cv-00917 (E.D. Va. July 30, 2013).

[4] Id.

[5]  Id. at ¶ 10.

[6] See Travelers Indem. Co. v. Portal Healthcare Sols., LLC (“Travelers I”), 35 F. Supp. 3d 765, 768 (E.D. Va. 2014).

[7] Id. at 769.

[8] Id. (emphasis added).

[9] Id. (alterations and ellipses in original).

[10]  Id.

[11]  Id. at 771 & 772.

[12] Id. at 770.

[13] Id.

[14]  Id.

[15] Id. at 771–72.

[16]  Id.

[17] Id. at 772.

[18] Id.

[19] Id.

[20] See Travelers Appeal, No. 14-1944, at *8.

[21] Id. at *7 (internal quotations omitted).

[22]  Id. at *8 (internal quotations omitted) (alteration in original).

[23] See Travelers I, 35 F. Supp. 3d at 768.

[24] Id. at 771.