In another victory for the defense bar, an appellate court in California held on July 21, 2014 that defendants were not liable for breach of California’s Confidentiality of Medical Information Act (“CMIA”) when a computer containing the confidential medical records of some four million patients was stolen. Sutter Health v. Superior Court of Sacramento County, No. C072591(Cal.App.3d July 21, 2014).
In Sutter, shortly after Sutter announced the theft of certain medical records, a number of plaintiffs filed complaints, which were then coordinated, resulting in the filing of a master complaint. Plaintiffs alleged a violation of the CMIA, which provides in relevant part that a health care provider cannot disclose confidential medical information without authorization, and which further imposes a duty on health care providers to maintain the confidentiality of such records. In addition, if such confidential information is negligently released, a plaintiff may be entitled to nominal damages of $1,000, even if there are no actual damages.
The court construed the statute to mean that “[t]he mere possession of the medical information or records by an unauthorized person was insufficient to establish breach of confidentiality if the unauthorized person has not viewed the information or records.” The court specifically found that “disclosure” under the staute requires an “affirmative communicative act,” and having a laptop stolen by a thief is not such an act.
As to a health care provider’s duty to preserve confidentiality, the court held that “it cannot be said that …. [the CMIA] imposes liability if the health care provider simply loses possession of the medical records. Something more is necessary — that is, breach of confidentiality.”
And as to statutory damages, the court held that permitting such damages without confidential information having been viewed “would lead to unintended results. For example, if a thief grabbed a computer containing medical information on four million patients, but the thief destroyed the electronic records to reformat and wipe clean the hard drive and sell the computer without ever viewing the information . . ., the health care provider would still be liable . . . We cannot interpret a statute to require such an unintended result.”
The decision adds to defendants’ arsenal of arguments against finding liability in the data breach context. As discussed elsewhere on this blog, there have been numerous decisions holding that plaintiffs lack standing, at least in the context of the common law, to pursue a defendant unless there has been an actual injury traceable to the defendant’s conduct. The court’s interpretation of the CMIA comports with the view that a data breach without something more simply is not enough to impose liability.