California Court Dismisses Data Breach Class Action


Last week, the California Third District Court of Appeal dismissed what may have been the largest health data breach class action in history. Consistent with a trend of similar dismissals, the California state appellate court found that Sutter Health had not violated the California Confidentiality of Medical Information Act following the theft of a computer which contained personal information of 4.2 million patients because the plaintiffs could not demonstrate that the stolen information contained on the computer was actually viewed or accessed by an unauthorized person.

SutterIn October 2011, Sutter Health reported that a desktop computer was stolen from its facilities that contained unencrypted, but password-protected personal information, including names, birth dates, addresses, and telephone numbers, of 3.3 million patients. The computer also housed confidential medical records of nearly 940,000 patients. Thirteen separate class action lawsuits were consolidated and together sought $4 billion in damages under the California Confidentiality of Medical Information Act. The Act allows for statutory damages of $1000 for each negligent release of medical information.

The unanimous panel decision found that unless plaintiffs could show that they had suffered harm as a result of the data breach, there could be no recovery. Judge George Nicholson wrote, “The legislation at issue is the ‘Confidentiality of Medical Information Act,’ not the Possession of Medical Information Act.” Judge Nicholson found in order for the action to be sustained, the Confidentiality Act requires that an unauthorized person actually access (as opposed to merely possess) the stolen information.

The Court differentiated between the physical record and the information contained within the record in arriving at its decision:

It is the medical information, not the physical record (whether in electronic, paper, or other form), that is the focus of the Confidentiality Act. While there is certainly a connection between the information and its physical form, possession of the physical form without actually viewing the information does not offend the basic public policy advanced by the Confidentiality Act.

The Court explored the hypothetical instance where a thief “wipes” clean the hard drive in order to sell the stolen computer. Though the hard drive once contained medical information, the thief may have never seen any of this data or even know it existed.  The Court stated that such circumstances, or other occasions where medical information is not actually accessed, do not give rise to a cause of action under the Confidentiality Act.

While Sutter Health may have negligently stored patient information on unencrypted computers, plaintiffs did not demonstrate that their personal data was accessed by any unauthorized individual.  The Court consequently dismissed the class action.

Written by:

Published In:

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Traub Lieberman Straus & Shrewsberry LLP | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »

All the intelligence you need, in one easy email:

Great! Your first step to building an email digest of JD Supra authors and topics. Log in with LinkedIn so we can start sending your digest...

Sign up for your custom alerts now, using LinkedIn ›

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.