Last week, the California Third District Court of Appeal dismissed what may have been the largest health data breach class action in history. Consistent with a trend of similar dismissals, the California state appellate court found that Sutter Health had not violated the California Confidentiality of Medical Information Act following the theft of a computer which contained personal information of 4.2 million patients because the plaintiffs could not demonstrate that the stolen information contained on the computer was actually viewed or accessed by an unauthorized person.
In October 2011, Sutter Health reported that a desktop computer was stolen from its facilities that contained unencrypted, but password-protected personal information, including names, birth dates, addresses, and telephone numbers, of 3.3 million patients. The computer also housed confidential medical records of nearly 940,000 patients. Thirteen separate class action lawsuits were consolidated and together sought $4 billion in damages under the California Confidentiality of Medical Information Act. The Act allows for statutory damages of $1000 for each negligent release of medical information.
The unanimous panel decision found that unless plaintiffs could show that they had suffered harm as a result of the data breach, there could be no recovery. Judge George Nicholson wrote, “The legislation at issue is the ‘Confidentiality of Medical Information Act,’ not the Possession of Medical Information Act.” Judge Nicholson found in order for the action to be sustained, the Confidentiality Act requires that an unauthorized person actually access (as opposed to merely possess) the stolen information.
The Court differentiated between the physical record and the information contained within the record in arriving at its decision:
It is the medical information, not the physical record (whether in electronic, paper, or other form), that is the focus of the Confidentiality Act. While there is certainly a connection between the information and its physical form, possession of the physical form without actually viewing the information does not offend the basic public policy advanced by the Confidentiality Act.
The Court explored the hypothetical instance where a thief “wipes” clean the hard drive in order to sell the stolen computer. Though the hard drive once contained medical information, the thief may have never seen any of this data or even know it existed. The Court stated that such circumstances, or other occasions where medical information is not actually accessed, do not give rise to a cause of action under the Confidentiality Act.
While Sutter Health may have negligently stored patient information on unencrypted computers, plaintiffs did not demonstrate that their personal data was accessed by any unauthorized individual. The Court consequently dismissed the class action.