Privacy Breach: Virginia Federal Court Requires Travelers To Defend Policyholder Who Posted Patient Records Online
A Virginia Federal Court, applying Virginia law, held that The Travelers Indemnity Company of America (Travelers) had a duty to defend Portal Healthcare Solutions, LLC (Portal) with regard to an underlying action alleging Portal posted patient records on the internet, causing them to become publically available.
Portal specializes in the electronic safekeeping of medical records for medical providers. A class action lawsuit was filed against Portal alleging that Portal failed to safeguard the confidential medical records of patients at a hospital, posting the records on the internet and causing those records to become publically available. The underlying plaintiffs alleged that when they “Googled” their name, the first link that appeared was a direct link to their medical records. There was no allegation in the underlying action that any third-party had viewed the publically available patient records.
Travelers issued two policies to Portal, whereby Travelers agreed to pay sums Portal becomes legally obligated to pay as damages because of injury arising from (1) the “electronic publication of material that … gives unreasonable publicity to a person’s private life” (2012 policy) or (2) the “electronic publication of material that … discloses information about a person’s private life” (2013 policy).
The court granted Portal’s summary judgment motion regarding Travelers’ duty to defend, “because exposing confidential medical records to public online searching placed highly sensitive, personal information before the public. Thus, the conduct falls within the Policies’ coverage for ‘publication’ giving ‘unreasonable publicity’ to, or ‘disclos[ing] information about, a person’s private life….’”
Travelers argued that there was no “publication,” because Portal’s conduct was not intentional. The court rejected this argument, finding the issue of publication “hinges on whether the information was placed before the public … because unintentional publication is still a publication….” The court also rejected Travelers’ argument that there was no “publication,” because no third party is alleged to have viewed the information: “[T]he issue is not whether a third party accessed the information because the definition of ‘publication’ does not hinge on third-party access. Publication occurs when information is ‘placed before the public,’ not when a member of the public reads the information before it.”
In addition, the court rejected Travelers’ argument that there had been no “publicity,” because Portal did not take steps designed to attract public interest or gain public attention to the disclosed records: “There can be no question that posting medical records online without security restriction exposes the records to the general view and thus, gives the records “publicity” since, quite literally, any member of the public can view, download, or copy those records.” Travelers Indemnity Co. of America v. Portal Healthcare Solutions, LLC, No. 1:13-cv-917-GBL (E.D. Va. August 7, 2014).