A health care provider is not liable under California law for the loss of a stolen computer holding unencrypted medical information without proof that the thief actually viewed the information. This is the holding of the California Court of Appeal in a case brought on behalf of patients of a health care provider claiming damages from the break-in theft of a desktop computer that contained records of about four million patients. The decision in the case of Sutter Health v. Superior Court, C072591, was filed on July 21, 2014.
The computer was password-protected, but not encrypted. The plaintiffs sued under California’s Confidentiality of Medical Information Act, which allows a patient to recover $1,000 in nominal damages against anyone who has negligently released confidential information about the patient in violation of the CMIA. Nominal damages means that no actual loss need be shown – just that the information was negligently released in violation of the law. Had the case succeeded, the nominal damages could have added up to as much as $4 billion.
The Court of Appeal threw the case out, because the plaintiffs did not allege and could not prove that anyone had actually viewed the information on the stolen computer.
Most of the CMIA restricts disclosure of health information. The court held that the provider did not intend to disclose the information to the thief – the thief stole it.
The CMIA also requires providers to maintain medical information in a manner that preserves its confidentiality, and it says that a provider who negligently maintains or stores medical information is liable to damages and penalties, including the nominal damages. The plaintiffs argued that the provider negligently stored the medical information and that this resulted in an increased risk of a confidentiality breach. The court rejected this argument. It said:
“But the Confidentiality Act does not provide for liability for increasing the risk of a confidentiality breach. It provides for liability for failing to preserve the confidentiality of the medical records. . . . There is no allegation that [the provider’s] actions with respect to the records on the stolen computer did not preserve their confidentiality because there is no allegation that an unauthorized person has viewed the records. Without an actual breach of confidentiality, the loss of possession is not actionable . . . .”
This decision raises the bar for plaintiffs in more ways than one. The need to prove inappropriate viewing may make it difficult to maintain a class action when there is evidence that only some of the records put in jeopardy were actually viewed. For example, a provider accidently exposes a database containing many patient records on the Internet; a few people discover it, and view some records before the mistake is discovered and corrected; presumably, a plaintiff would have to prove that his or her particular records had been viewed, not just exposed to possible view. At $1,000 a head, a plaintiff’s attorney would probably need to gather hundreds of such people before a case might be viable.
The case may also have implications for the health facility reporting requirements under Health & Safety Code Section 1280.15. The Code requires health facilities to prevent unlawful or unauthorized access to, and use or disclosure of, patients’ medical information, and requires them to report any such access, use or disclosure to the Department of Public Health and the affected patient within five business days of detection. The recent decision might support an argument that the theft of a computer does not by itself establish unauthorized access, use or disclosure. There are other breach reporting requirements – in particular the HIPAA/HITECH Act breach notification requirements and California’s general consumer breach notification law (Civil Code section 1798.82) – that could apply even where there is no evidence that compromised medical information was actually viewed, but these are in some respects less rigorous than the health facility reporting law. For example, they may allow a risk analysis, and they may allow more time for reporting than the Health & Safety Code does.
Hooper, Lundy & Bookman provides a range of legal services relating to health information technology , including procurement, licensing, compliance and health information privacy and security. For more information, please contact: In San Francisco, Paul Smith, Steve Phillips or Clark Stanton at 415.875.8500; in Los Angeles, Hope Levy-Biehl or Amy Joseph at 310.551.8111; and in Washington, D.C., Bob Roth at 202.580.7700.