On July 22, 2014, the California Court of Appeal, Third Appellate District, found that patients whose confidential health information had been stolen could not sustain a class action absent an allegation that the information was actually viewed by unauthorized third parties.

In Sutter Health v. Superior Court, plaintiffs alleged that a thief broke into a Sutter Health office and stole a desktop computer containing protected health records of more than four million patients. Although the computer’s hard drive was password-protected, the records were unencrypted. The plaintiffs sought to assert a class action on behalf of these patients, seeking recovery under California’s Confidentiality of Medical Information Act (CCMIA). Because the CCMIA provides for an award of $1,000 in nominal damages per patient if a health care provider negligently releases medical information in violation of the CCMIA, the complaint potentially claimed $4 billion in damages. However, plaintiffs did not allege that any unauthorized person actually viewed the stolen records.

Sutter Health demurred to the complaint and also moved to strike the class action allegations. The trial court denied the motion to strike and overruled the demurrer, finding a cause of action for breach of the CCMIA could be stated without averring that unauthorized persons viewed the confidential information.

Issuing a peremptory writ of mandate and directing the trial court to enter a new order sustaining the demurrer without leave to amend, the Sutter Health Court held that mere possession by a third party of the medical information or records by an unauthorized person — if the third person has not viewed the information — cannot support an actionable breach of confidentiality.

The Sutter Health Court analyzed a Second Appellate District 2013 decision inRegents of the University of California v. Superior Court, where that court also found no claim had been stated where an encrypted external hard drive containing personal health information was stolen during a home invasion robbery. Although encrypted, the password had been printed on an index card and the card could not be located. The Regents plaintiffs based their claim on the negligent loss of possession of the hard drive and encryption password. The Regents Court found that, although the plaintiffs had adequately stated that the Regents violated the CCMIA by failing to adequately maintain the information’s confidentiality, without an allegation of actual disclosure to an unauthorized third person, the plaintiffs could not qualify for the nominal damages award remedy.

Although the two courts ultimately reached the same conclusion, the Sutter HeathCourt went a step further than the Regents Court, holding that, without an allegation of an actual breach of confidentiality, Sutter Health could not be found to have violated the CCMIA in the first instance.

Both of these decisions involved cases at the pleading stage where the plaintiffs did not allege an actual disclosure to an unauthorized third party. As a result, we can expect to see — and have already seen — complaints filed for breach of the CCMIA that take pains to allege actual disclosure to unauthorized third parties. However, as the Regents Court noted, to sustain a claim for damages, “what is required is pleading, and ultimately proving, that the confidential nature of plaintiff’s medical information was breached as a result of the health care provider’s negligence (emphasis supplied).” Also, because both of these courts found no adequate claim stated, they declined to address issues pertaining to whether these types of claims can be maintained as class actions. Questions addressing the proof required to sustain these claims — and whether these claims are proper for class action treatment — remain to be decided on another day.