Bring An Equalizer to the Fight. Choose a Firm That Was Created to Advocate for Victims.

California Appeals Court Limits Liability Medical Confidentiality Act

In a recent decision, the California Third Appellate Court severely limited liability under California’s Confidentiality of Medical Information Act by ruling that an unauthorized person must view the stolen medical records in order for plaintiffs to bring a claim. The case involved the theft of the medical records of more than four million patients.

The Facts of the Case

In 2011, someone broke into an office of Sutter Health and stole a desktop computer containing the medical records of more than four million patients. The data was stored on the computer’s hard drive in password-protected but unencrypted format, and the office from which the computer was taken did not have a security alarm or security cameras.

After learning their confidentiality was compromised, several patients filed a lawsuit seeking to represent, in a class action, all of the patients whose records were stolen. The complaint alleged violations of the Confidentiality of Medical Information Act (CMIA), which protects the confidentiality of patients’ medical information. Among other remedies, the law provides for an award of $1,000 in nominal damages to a patient if the health care provider negligently releases medical information or records in violation of the CMIA.

The complaint did not allege that any unauthorized person had actually viewed the stolen records, but rather stated: “Plaintiffs are informed and believe that potential misuses of personal medical information may not manifest itself for numerous years, and furthermore that credit monitoring services survey only a small segment of such potential misuses.”

Sutter Health sought to dismiss the case, arguing that the plaintiffs failed to state a claim under the CMIA because the complaint did not allege that an unauthorized person actually viewed the stolen medical records. The trial court denied the motion, and the health provider appealed.

The Court’s Decision

The California appeals court concluded that the “mere possession of medical information or records by an unauthorized person was insufficient to establish breach of confidentiality if the unauthorized person has not viewed the information or records.”

In reaching its decision, the court noted that the goal of the CMIA is “preserving the confidentiality of the medical information, not necessarily preventing others from gaining possession of the paper-based or electronic information itself.” Accordingly, plaintiffs must allege a breach of that confidentiality in order to sustain a claim.