CHA News Article

Appellate Court Decides Privacy Breach Case
Provides good news for hospitals

The Court of Appeal, second appellate district, ruled today that a cause of action for statutory damages based on negligent storage or maintenance of confidential medical information requires pleading and proof that an unauthorized individual actually viewed the confidential information. The decision is good news for hospitals and other health care providers who are victims of theft or hacking of medical information where the plaintiff cannot prove that the thief or hacker actually viewed the medical information.

In this class action lawsuit brought against The Regents of the University of California, the plaintiffs sought $16 million dollars following the theft of a laptop in a home invasion robbery of a UCLA physician. The laptop contained encrypted medical information of 16,000 patients; unfortunately, the encryption key was also stolen. There was no evidence that any third party actually accessed or viewed the medical information. The court held that The Regents is not liable to pay damages to the plaintiffs.

However, the court also ruled that a release of information does not require an affirmative communicative act by the health care provider. Therefore, this ruling does not protect hospitals that are victims of theft or loss if the plaintiff can prove that an unauthorized third party actually saw or used the confidential medical information.

CHA filed an amicus brief in this case supporting The Regents of the University of California. A copy of the decision is attached.