Insurer tried to say CGL offered no breach coverage
A federal court ruled recently that a commercial general liability policy issued by Hartford Casualty Insurance Co. covers defense costs and damages that might arise from two lawsuits brought by patients who alleged a massive data breach exposed their personal medical information to public view for more than a year.
The U.S. District Court for the Central District of California rejected Hartford’s argument that the policy’s exclusion of statutory causes of action was triggered because the litigation was brought under the California Confidentiality of Medical Information Act (CMIA), court records show.1 The exclusion did not apply because the state’s common law has long recognized a right to medical privacy, the court reasoned.
Roberta D. Anderson, JD, a partner with the law firm of K&L Gates in Pittsburgh, offers this summary of the federal court decision: The ruling was prompted by litigation in which patients sued Stanford Hospital and Clinics and Corcino & Associates, and claimed that the protected health information (PHI) of almost 20,000 patients was posted on a public website for almost a year.
Leaders at Corcino thought they were covered. They sought defense and indemnification under a provision of their Hartford general liability policy that covers damages stemming from the "electronic publication of material that violates a person’s right of privacy." The "personal and advertising injury" insuring clause of policy stated that Hartford Casualty Insurance Co. would "pay those sums that the insured becomes legally obligated to pay as damages because of personal and advertising injury.’"
The term "personal and advertising injury" was defined in the policy as "including consequential bodily injury,’ arising out of one or more of the following offenses: e. Oral, written or electronic publication of material that violates a person’s right of privacy. As used in this definition, oral, written or electronic publication includes publication of material by someone not authorized to access or distribute the material."
But Hartford balked and said the policy specifically excluded coverage for injuries "arising out of the violation of a person’s right to privacy" created by statute. It argued that the claim could be denied because it was excluded from coverage under the following exclusion pertaining to violations of statutorily created rights: "This insurance does not apply to: p. Personal and Advertising Injury, (11) Arising out of the violation of a person’s right to privacy created by any state or federal act." Hartford took the issue to court and sought declaratory relief from having to defend and indemnify Corcino in the state court actions.
The federal district court dismissed Hartford’s action and pointed to another clause in the policy that made the exclusion inapplicable where the insured could be liable for damages under the common law. The court explained that the exclusion only applied in instances in which a claim arising out of an invasion of privacy is created by statute.
California law recognizes a right to privacy and allows tort actions for violations of that right. "The statutes thus permit an injured individual to recover damages for breach of an established privacy right, and as such, fall squarely within the Policy’s coverage," the court held.
In considering Stanford’s motion to dismiss, the court noted that "insurance coverage is interpreted broadly so as to afford the greatest possible protection to the insured." The court said that "if any reasonable interpretation of the Policy would result in coverage, a court must find coverage even if other reasonable interpretations would preclude coverage."
- Hartford Casualty Ins. Co. v. Corcino & Assocs., No. 2:13-cv-03728-GAF-JC (C.D. Cal. Oct. 7, 2013).