In April 2013, a class action lawsuit was led in New York Supreme Court, which Portal Healthcare Solutions; LLC (“Portal”) was accused of allowing patient medical records to be accessible from November 2, 2012 to March 14, 2013.
Portal was accused of negligence, breach of warranties and breach of contract. Portal was insured for the relevant period of time through CGL policies issued by Travelers Indemnity Co. of America (“Travelers”). In 2013, Travelers led a lawsuit in the U.S Court of Alexandria, seeking a declaration it was not obligated to defend Portal Healthcare because the class action did not allege “personal injury” or “website injury” as defined in the policies.
The Federal Fourth District Court of Appeals is often known as a pro-insurance company jurisdiction but here has ruled in favor of the insured in a manner consistent with other States that may be seen as more pro-policyholder. The Fourth District follows the so-called “Eight Corners” Rule which requires a court interpreting an insurance policy to review the “four corners” of the underlying complaint and the “four corners” of the underlying insurance policy. States such as California allow for extrinsic evidence to be considered, though this often means that the extrinsic evidence reviewed is that which is favorable to the policyholder.
Also of significance in its ruling, the Fourth District Court of Appeals expressly rejected any narrow definition of the words “publication” or “disclosure” in such policies issued to companies that provide services of maintaining computer secrecy of patient medical records. The appellate court rejected Traveler’s effort to parse alternative dictionary definitions and found the “plain meaning” of those terms did not require anything more than the information becoming available on the Internet. It does not require proof of a third person reading the information and does not require proof of any intentional disclosure by the insured company.
Thus, the Federal Court of Appeals affirmed the finding of the lower court that there was coverage for the insured company in defending against the class action which plaintiff patients brought as a result of the publication on the Internet of their private medical records. This case is significant because it provides guidance in defining the scope of such policies concerning cyber breaches and class action lawsuits by consumers who allege injury arising from cyber breaches.