The Ontario Superior Court has ruled that an insurance company is obligated to defend a hospital employee against a privacy breach lawsuit by a former patient.
In the case Oliveira v. Aviva Canada Inc., the ex-patient alleged that the employee – who is not involved in providing care to the patient – breached the patient’s privacy by frequently accessing the patient’s medical records without a legitimate reason.
The insurance policy issued by Aviva provided coverage to the hospital and its employees for third party claims for “personal injury,” something broadly defined by the insurer. Things that constitute as “personal injury” include invasion and/or violation of privacy, but only for liability “arising from the operations of” the hospital and only for employees “while acting under the direction of” the hospital.
Aviva refused to defend the employee on the basis that the alleged privacy breach did not arise from the “operations” of the hospital. The insurer also argued that the employee was not “acting under the direction of the hospital” when the individual committed the alleged privacy breach. The company added that the employee abused her position and engaged in unlawful activities unrelated to her employment by the hospital, conflicting with her employment obligations.
However, the Superior Court rejected these arguments, saying that they would have excluded a considerable portion of the privacy breach coverage that Aviva’s insurance policy claimed to provide.
Lexology reported that the court then applied established legal principles for the interpretation of insurance policies, which include “the duty to defend is broader than the duty to indemnify”, “the mere possibility that a claim falls within the policy will suffice to trigger a duty to defend”, “coverage provisions should be construed broadly; exclusion causes should be interpreted narrowly” and “courts should avoid interpretations of policies that substantially nullify coverage”.
The court additionally pointed out that insurance coverage for “invasion or violation of privacy” included the common law tort of “intrusion upon seclusion”, which includes deliberate and highly offensive invasions of privacy by employees that may be outside a patient’s circle of care.