The California Court of Appeal recently limited plaintiffs’ ability to state a claim under the California Medical Information Act (CMIA), Cal. Civ. Code §§ 56 et seq., and their ability to get statutory damages under the act. Consistent with prior rulings in the data breach space, the court ruled that plaintiffs must plead and prove more than the mere allegation that a health care provider negligently maintained or lost possession of data, but rather that such data was in fact improperly viewed or otherwise accessed.

The Case -

Plaintiff Melinda Platter brought a class action against the Regents of the University of California seeking damages from unlawful disclosure of confidential medical information in violation of the CMIA. Regents of the Univ. of Cal. v. Super. Ct., 220 Cal. App. 4th 549 (2013). She alleged that certain patients treated at UCLA health care facilities had personally identifiable medical information stored on an encrypted external hard drive that was stolen from a doctor’s house in a home invasion robbery. Also missing was an index card near the computer that contained the password for the computer, which presumably would have permitted decryption of the data.

Originally published in Law360 on 12/2/2013.