In a recent decision, the California Third Appellate Court severely limited
liability under California’s Confidentiality of Medical Information
Act by ruling that an unauthorized person must view the stolen medical
records in order for plaintiffs to bring a claim. The case involved the
theft of the medical records of more than four million patients.
The Facts of the Case
In 2011, someone broke into an office of Sutter Health and stole a desktop
computer containing the medical records of more than four million patients.
The data was stored on the computer’s hard drive in password-protected
but unencrypted format, and the office from which the computer was taken
did not have a security alarm or security cameras.
After learning their confidentiality was compromised, several patients
filed a lawsuit seeking to represent, in a class action, all of the patients
whose records were stolen. The complaint alleged violations of the Confidentiality
of Medical Information Act (CMIA), which protects the confidentiality
of patients’ medical information. Among other remedies, the law
provides for an award of $1,000 in nominal damages to a patient if the
health care provider negligently releases medical information or records
in violation of the CMIA.
The complaint did not allege that any unauthorized person had actually
viewed the stolen records, but rather stated: “Plaintiffs are informed
and believe that potential misuses of personal medical information may
not manifest itself for numerous years, and furthermore that credit monitoring
services survey only a small segment of such potential misuses.”
Sutter Health sought to dismiss the case, arguing that the plaintiffs failed
to state a claim under the CMIA because the complaint did not allege that
an unauthorized person actually viewed the stolen medical records. The
trial court denied the motion, and the health provider appealed.
The Court’s Decision
The California appeals court concluded that the “mere possession
of medical information or records by an unauthorized person was insufficient
to establish breach of confidentiality if the unauthorized person has
not viewed the information or records.”
In reaching its decision, the court noted that the goal of the CMIA is
“preserving the confidentiality of the medical information, not
necessarily preventing others from gaining possession of the paper-based
or electronic information itself.” Accordingly, plaintiffs must
allege a breach of that confidentiality in order to sustain a claim.