In a pair of recent cases, two California health care providers successfully warded off lawsuits arising from unauthorized data breaches of patient files. These cases illustrate that improper disclosure of electronically stored personal information is an increasing concern for the health care industry. They also highlight judicial reluctance, at least in California, to impose damages on health care providers where security breaches cause minimal or no actual harm to plaintiffs.
Both cases were brought under the California Confidentiality of Medical Information Act (CMIA) which prohibits health care providers from disclosing medical information about patients without authorization. The Act further requires every provider who creates, maintains, preserves, or destroys medical information to do so in a manner that “preserves the confidentiality of the information contained therein.” In addition to other remedies available at law, CMIA plaintiffs may seek nominal damages of $1000 from individuals or entities who negligently release confidential information in violation of the Act.
On October 15, 2014, the Supreme Court of California declined to hear an appeal of a lower court’s ruling that Sutter Health was not liable for $4 billion in damages following a data breach. The case arose after a thief broke in to Sutter Health’s Sacramento office and stole a desktop computer containing the medical records of more than four million patients. The computer’s hard drive was password-protected but not encrypted. Plaintiffs filed a class action suit alleging that although there was no evidence that the thief accessed the medical records on the hard drive, Sutter Health nevertheless violated Sections 56.10 and 56.101 of the CMIA because of the “potential misuses of personal medical information.” In response, Sutter Health filed a demurrer arguing that the complaint failed to state a cause of action absent allegations that any unauthorized persons viewed the stolen data.
California’s Third District Court of Appeals ultimately sided with Sutter Health and dismissed the class action suit. It held that Section 56.10’s prohibition on improper disclosure of medical data was not triggered because it implied an affirmative communicative act on the part of the provider rather than an unauthorized theft. Thus, because the computer was stolen by, and not given to, the thief, the court concluded that there was no impermissible disclosure under the Section. Conversely, the court held that Section 56.101’s imposition of confidentiality on health care providers did apply. It emphasized, however, that the Section was not violated because confidentiality was not breached. The court reasoned that the Act allowed for a change in physical possession of paper or electronically stored data as long as the confidentiality of the information itself was preserved. In other words, the court concluded, the CMIA did not impose liability where Sutter Health simply lost possession of the medical records and the thief did not access the confidential files.
A California appellate court reached a similar conclusion following a data breach in March of 2011 when a computer was stolen from Eisenhower Medical Center in Rancho Mirage, California. The computer contained an index of over 500,000 patients’ names, medical record numbers, ages, dates of birth, and Social Security numbers. The electronic index was password-protected but not encrypted. The defendant health care provider moved for summary judgment. Eisenhower Medical claimed that although the theft resulted in the release of “individually identifiable information,” there was no medical data contained within the stolen index. In this way, it argued that the CMIA required impermissible disclosure of patient “medical history, mental or physical conditions, or treatment” in order to impose liability. In response, plaintiffs alleged that the mere fact that individuals were identified by name as patients of the provider amounted to a release of medical history.
The court agreed with Eisenhower Medical, emphasizing that under Section 56.05 of CMIA, “medical information” is “individually identifiable information . . . regarding a patient’s medical history, mental or physical condition, or treatment.” The court emphasized the plain meaning of the Act and concluded that it did not encompass demographic or numeric data absent a history of treatment, diagnosis, or care. The mere fact that a person was a patient of the provider at some time, the court concluded, was insufficient to impose liability under CMIA.
These cases illustrate the difficulty for patients to successfully sue California health care facilities following data breaches. Nonetheless, the risk to providers remains. Plaintiffs who can prove that electronic medical information was improperly disclosed or actually viewed may succeed in collecting large sums from health care providers. The cases also suggest that providers should be diligent in storing and safeguarding electronic patient files and data.