With the California Supreme Court denying a petition for review in Sutter Health v. Superior Court (Atkins), in California a health care provider is not liable for the nominal damages set forth in the state’s Confidentiality of Medical Information Act (CMIA) when password-protected but unencrypted information is stored on a computer and the device is stolen, absent evidence the data was actually viewed.
After the California Court of Appeal, Third Appellate District, dismissed 13 coordinated lawsuits, the plaintiffs’ attorneys in the data theft action filed their petition for review with the California Supreme Court on August 29, 2014. The plaintiffs claimed whether the data was viewed, Sutter had a duty to protect the confidential information, such as through encryption, and failed to meet its duty. On October 15, 2014, the court denied the petition.
Sutter Health maintained medical records concerning the plaintiffs on a desktop computer that was stolen from an office after someone broke in. The medical records of more than 4 million patients were stored on the computer’s hard drive in password-protected but unencrypted format. The plaintiffs did not allege that any unauthorized persons had actually viewed the records, but claimed potential misuses of the information may not manifest for years. The plaintiffs sought the $1,000 nominal damages set forth in the CMIA for each class member, or roughly $4.24 billion in damages.
In their complaint, the plaintiffs alleged Sutter Health violated two different sections of the CMIA (§§ 56.10 and 56.101), which invoked the remedy provision of §56.36. The plaintiffs first argued there was a prohibited unconsented-to disclosure, but the court responded that the statute required an affirmative act of disclosure by the defendant, which was not satisfied by a theft. The second provision argued provides, “Every provider of health care … who creates, maintains, preserves, stores, abandons, destroys or disposes of medical information shall do so in a manner that preserves the confidentiality of the information contained therein. Any provider … who negligently maintains … [or] stores … medical information shall be subject to the remedies and penalties provided under … Section 56.36.” That section allows anyone whose confidential information has been negligently released to bring an action for $1,000 nominal damages. “In order to recover under this paragraph it shall not be necessary that the plaintiff suffered or was threatened with actual damages.”
The appellate court held there was no breach of confidentiality absent actual viewing of the information; mere possession of medical information or records by unauthorized persons was insufficient to establish breach of confidentiality. The court agreed with, in part, but differentiated its ruling from Regents of University of California v. Superior Court (2013) 220 Cal.App.4th 549, stating it agrees what is required is pleading and proving the confidential nature of the information was breached as a result of the health care provider’s negligence, but the court arrived at its conclusion differently than Regents. In Sutter, the court found that without an actual confidentiality breach, a health care provider has not violated § 56.101 and therefore does not invoke the remedy provided in § 56.36. In Regents, the provider did not dispute the allegation it violated § 56.101, and the court’s decision was based on § 56.36.
The case is good news for health care providers, making it clear that a breach under § 56.101 means a breach in the protection of what is being held in confidence – the actual health information. A change of possession of the vehicle holding the confidence does not trigger liability. Under Sutter, a health care provider is not subject to liability just because possession of a record or computer is lost. There must be an actual breach of the confidential information – that is, confidential information must be accessed.