Login Register Subscribe
Current Issue

Insurer must defend health care firm in cyber breach

Reprints

A Travelers Corp. unit is obligated to defend a health care company in a cyber breach case under its comprehensive general liability policies, a federal appeals court has ruled.

In an April 2013 putative class action lawsuit filed in New York Supreme Court in Saratoga, Portal Healthcare Solutions L.L.C. was accused of allowing patients' medical records to be accessible online from Nov. 2, 2012, to March 14, 2013.

According to The Travelers Indemnity Co. of America v. Portal Healthcare Solutions L.L.C., Centreville, Virginia-based Portal Healthcare was accused of negligence, breach of warranties and breach of contract.

Portal Healthcare had been insured for the relevant period through CGL policies issued by Travelers, according to Monday's ruling by the 4th U.S. Circuit Court of Appeals in Richmond, Virginia.

Travelers agreed to provide a defense to Portal Healthcare under a reservation-of-rights clause.

Travelers later filed suit in U.S. District Court in Alexandria, Virginia, in July 2013, seeking a declaration it was not obligated to defend Portal Healthcare because the class action did not allege “personal injury,” “advertising injury” or “website injury” as defined in the policies.

However, in upholding a lower court ruling, a three-judge panel of the appeals court ruled unanimously Monday in an unpublished opinion that Travelers is obligated to defend the health care company.

Given the pertinent documents, “Travelers' efforts to parse alternative dictionary definitions do not absolve it of the duty to defend Portal,” the court ruled.

The underlying case is pending and class certification has not yet been decided, said Donald W. Boyajian, a partner at Dreyer Boyajian L.L.P. in Albany.

In 2015, the U.S. District Court in Los Angeles dismissed a cyber coverage case, in which an insurer sought to deny coverage in Columbia Casualty Co. vs. Cottage Health.

However, a New York Supreme Court judge ruled in February 2014 that Zurich America Insurance Co. was not obligated to cover Sony corp. of America for litigation in connection related to the 2011 hacking of its PlayStation Network, because Sony's primary CGL policy and its excess policy did not qualify for such coverage. The case was later settled for an undisclosed amount.