In what should be considered a win for the defense, the California Third Appellate Court recently overturned the lower court’s denial of a motion to dismiss a class action lawsuit seeking $4 billion in damages under California’s Medical Confidentiality Act (the Act) due to the alleged disclosure of medical records. In Sutter Health v. The Superior Court of Sacramento County, the Appellate Court specifically held that the mere theft of medical records, such as those contained on a stolen laptop, without any allegations that an unauthorized person viewed the records is insufficient to state a claim.
In October 2011, an unencrypted computer containing the medical records of more than four million patients was stolen from Sutter Health. The plaintiffs filed a class action lawsuit seeking statutory damages under section 56.101 of the Act. This section provides a penalty for any health care provider, service plan, pharmaceutical company or contractor who “negligently creates, maintains, preserves, abandons, destroys, or disposes of medical information.” Among other remedies, the Act provides for nominal damages of $1,000 per patient if the records or medical information are released in violation of the Act.
Considering the more than four million patients affected, the complaint sought statutory damages in excess of $4 billion. In its motion to dismiss, Sutter Health argued plaintiffs did not state a claim under the Act because the complaint did not allege that an unauthorized person actually viewed the stolen medical records. The trial court denied Sutter Health’s motion to dismiss. Fortunately, the Appellate Court disagreed and overturned the trial court’s ruling.
In doing so, the Appellate Court ruled that the “mere possession of medical information or records by an unauthorized person was insufficient to establish breach of confidentiality if the unauthorized person has not viewed the information or records.” In its ruling, the Appellate Court went one step further than the court in the recent case Regents of University of California v. Superior Court (2013) 220 Cal.App.4th 549. In Regents, the Second District Appellate Court found a violation of section 56.101 of the Act, but refused to award damages without evidence that the records were actually viewed by an unauthorized person.
In Sutter, the Appellate Court ruled that the confidential health information must first be viewed for there to be a violation of section 56.101 of the Act. The Sutter court, in interpreting section 56.101, distinguished between the unauthorized possession of medical information versus the preservation of confidentiality, which the Court explained was the true focus of the Act. The Court pointed out that if unauthorized possession were the equivalent of negligent preservation under section 56.101, then unintended consequences would result. For example, the Court noted that under the plaintiffs’ interpretation of the statute, if a thief stole a computer containing the medical information of four million patients, and then reformatted the hard drive to sell the computer without ever knowing that it contained such information, the health care provider would still be liable for $4 billion in damages.
The Appellate Court points out the statute’s use of the word “negligently” as further support for its interpretation. For a court to find negligence, the plaintiff must allege not only a breach but also that that breach caused the injury being protected against. The Sutter court concluded that where there is no allegation that an unauthorized person has viewed confidential medical records, there has been no injury sustained by the plaintiff, and therefore no violation of the statute.
This decision, filed on July 21, 2014, enables health care providers to quickly determine potential liability if they suffer a data breach. More significantly, it narrows the facts under which potential plaintiffs can seek to recover a financial windfall without suffering actual damages. Privacy of individuals’ information is important, but statutes such as the one at issue in this case must be balanced against excessive fines and penalties that could potentially put health care providers out of business.