In a case against Sutter Health involving records from a stolen office computer, the California Court of Appeal recently issued a decision limiting plaintiffs’ ability to state a claim and obtain statutory damages under the California Medical Information Act (CMIA) without a showing that the medical information was actually viewed by an unauthorized person. Sutter Health v. Super. Ct., 2014 Cal. App. LEXIS 638 (July 21, 2014). The Court held: “The mere possession of the medical information or records by an unauthorized person was insufficient to establish breach of confidentiality if the unauthorized person has not viewed the information or records.”
Plaintiffs alleged that the medical records of more than 4 million patients were stored on a desktop computer that was stolen after someone broke into an office of Sutter Health. The records on the hard drive were allegedly password-protected but unencrypted. Plaintiffs’ complaint alleged that Sutter Health violated sections 56.10 and 56.101 of the CMIA, which prohibit disclosure of medical information without authorization and direct a health care provider to preserve the confidentiality of medical information. Under the nominal damages provision in section 56.36, plaintiffs sought to represent a class of all patients whose records were stolen and a potential $4 billion award.
Sutter Health demurred to the complaint, which was overruled by the trial court, and then filed a petition for writ of mandate. Writing for a unanimous panel, Justice Nicholson sustained the demurrer and dismissed the action because plaintiffs’ complaint did not allege that any unauthorized person actually viewed the stolen records from the hard drive. To interpret the CMIA to provide nominal damages “to every person whose medical information came into the possession of an unauthorized person without that person viewing the information would lead to unintended results.” The Court warned that, under this interpretation, a health care provider could be liable for $4 billion when a thief never viewed, or even knew the existence of, the electronic records. It concluded: “We cannot interpret a statute to require such an unintended result.”
This decision follows on the heels of the Second Appellate District’s decision last year in Regents of the Univ. of Cal. v. Super. Ct., 220 Cal. App. 4th 549 (2013), previously discussed here, similarly ruling that plaintiffs must plead and prove more than the mere allegation that a health care provider negligently maintained or lost possession of data, but rather that such data was in fact improperly viewed or otherwise accessed. While using a “different analytical route,” the Court here arrived at the same conclusion as Regents.
First, the Court found that CMIA section 56.10 did not apply to the facts of this case. The Court explained that the context and ordinary meaning of the term “disclosure” require an “affirmative communicative act.” As Sutter Health did not intend to disclose the medical records to the thief, there was no such affirmative communicative act.
Second, the Court held that plaintiffs failed to state a cause of action under section 56.101 of the CMIA because there was no actual breach of confidentiality. The language of section 56.101 “makes it clear that preserving the confidentiality of the medical information, not necessarily preventing others from gaining possession of the paper-based or electronic information itself, is the focus of the legislation.” Based on this language, the Court concluded that there must be a breach of confidentiality in order to violate section 56.101.
The Court then stated that no breach of confidentiality takes place “until an unauthorized person views the medical information.” Loss or change of possession is not actionable. Relying on the recent California Supreme Court decision Brown v. Mortensen, the Court explained that the focus of the CMIA was the medical information itself, so possession of the physical record without actually viewing the information “does not offend the basic public policy advanced by the [CMIA].”
Without any allegations that their records had been “exposed to the view of an unauthorized person,” plaintiffs had failed to show any injury—actual breach of confidentiality—and therefore could not state a claim under section 56.101. The Court stated that its analysis was unchanged by the nominal damages provision (section 56.36(b)(1)) because even nominal damages are not available if the injury has not occurred.
This case is important because it demonstrates “the main pleading problem for the plaintiffs” in making CMIA claims when there is no allegation or proof that their medical information was actually viewed by an unauthorized person. Coupled with the Regents decision, there is now growing California Court of Appeal authority that limits a plaintiff’s ability to bring such claims for health care data breaches.